United Kingdom

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

In July 2020, the Serious Fraud Office (SFO) reached a deferred prosecution agreement (DPA) with G4S Care and Justice Services (UK) Ltd (G4S C&J) in respect of a scheme to defraud the Ministry of Justice in connection with contracts for electronic monitoring of offenders. The quantum agreed in that matter was £38.5 million plus costs but, of perhaps greater significance, was the application of a reduced discount of 40 per cent, said to relate to the delayed nature of G4S C&J’s substantial co-operation with the SFO. In September 2020, three former executives of G4S C&J were charged with defrauding the Ministry of Justice. The matter is listed for trial in January 2022.

On 5 February 2021, the UK Supreme Court handed down its judgment in R (KBR, Inc) v. Director of the Serious Fraud Office ([2021] UKSC 2), overturning an earlier decision of the High Court, confirming the well-established presumption that UK legislation is generally not intended to have extraterritorial effect. The UK High Court had previously held that the SFO could lawfully require non-UK companies to produce materials held abroad (under its Criminal Justice Act 1987 powers – see further below), provided there was a ‘sufficient connection’ between the company and the United Kingdom. The Supreme Court ruled that the SFO had not been intended to have such broad extra­territorial compulsory powers, noting that Parliament had instead developed mutual legal assistance to facilitate international investigations and prosecutions. In March 2021, the SFO announced that it had closed its investigation into the activities of KBR, Inc’s UK subsidiaries, their officers, employees and agents.

In April 2021, the prosecution by the SFO of fraud charges against two former directors of Serco Geografix Limited (Serco) collapsed. The SFO issued a statement confirming that ‘this follows a prosecution review of its disclosure process for the trial, which uncovered errors made in the non-disclosure of certain materials’, noting that it was ‘considering how best to undertake an assessment to prevent this from happening in the future’. The case again highlights the effects of procedural failings in criminal proceedings, where disclosure obligations remain significant and continue throughout the life of litigation, irrespective of the volume or age of material available or previously disclosed.

In May 2021, the SFO announced it was investigating suspected fraud, fraudulent trading and money laundering in relation to the financing and conduct of the business of companies within the Gupta Family Group Alliance, including its financing arrangements with Greensill Capital UK Ltd. At the time of writing, the investigation remains ongoing.

The SFO also resolved four further investigations by way of DPAs with Airline Services Ltd (agreed on 30 October 2020), Amec Foster Wheeler Energy Limited (agreed on 1 July 2021), and two unnamed companies (agreed on 19 July 2021), embedding the DPA regime as a means, subject to court approval, for corporates and the SFO to resolve cases involving allegations of serious and complex economic corporate crime, avoiding a criminal conviction.

Finally, investigations into the corporate offence of failing to prevent the facilitation of tax evasion continue to gather speed. As at 27 May 2021, Her Majesty’s Revenue and Customs (HMRC, the UK tax administration) confirmed it had 14 live investigations into corporates failing to prevent the facilitation of UK tax evasion (an offence introduced as of 30 September 2017). A further 14 live opportunities were also said to be under review, spanning 10 business sectors, including financial services, oils, construction, labour provision and software development.

2 Outline the legal framework for corporate liability in your country.

A corporation can be held criminally liable under the laws applicable to the United Kingdom (the laws of England and Wales, Northern Ireland and Scotland, referred to collectively as UK laws) and there are several ways this can arise, depending on the factual circumstances and the types of underlying conduct.

Typically, corporate criminal offences of strict liability and offences involving a company’s vicarious liability for its employees’ actions arise for a range of regulatory offences under UK laws. These features of corporate criminal liability are not considered in detail in this chapter as they tend to be less common in relation to financial crime matters, with the exception of offences involving company legislation.

For other types of offences, including fraud and corruption, the law developed the ‘identification doctrine’ as a means of imputing criminal liability to a corporate. This attributes the knowledge of a corporate’s directing mind – the individual or individuals who control the actions of the corporate (for example, its directors or senior managers) – to the corporate itself. In practice this has proved difficult in all but the simplest cases involving small companies with unsophisticated structures. The difficulties are particularly apparent in larger companies or multinationals with more diffuse decision-making among management teams and where complex corporate structures may mean there are numerous reporting lines that would need to be assessed.

In recent years, to meet some of the criticisms of the identification doctrine, the United Kingdom has introduced two types of ‘failure to prevent’ corporate offences, essentially holding the corporate liable for failing to prevent certain types of wrongdoing, subject in each case to the corporate being able to raise a compliance-related defence (i.e., that it had in place either adequate or reasonable procedures designed to prevent the defined type of wrongdoing occurring). The ‘failure to prevent’ corporate offence exists under UK laws in relation to bribery (under the Bribery Act 2010) and the facilitation of tax evasion (under the Criminal Finances Act 2017). Both regimes have extraterritorial reach and allow for a company to face prosecution if it fails to prevent bribery or facilitation of tax evasion by a third party performing services either for the company or on its behalf.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

The United Kingdom has three legal systems and jurisdictions for criminal law purposes, each of which applies geographically: England and Wales, Northern Ireland and Scotland. The criminal laws of England and Wales and of Northern Ireland are similar, whereas Scots law and procedure is markedly different.

In the United Kingdom as a whole, allegations of corporate offending involve the same criminal process, enforcement agencies and court system as investigations and prosecutions of individuals. As a corporate is a legal rather than a natural person, certain steps vary because of this status (e.g., how it may need to respond to enquiries from a law enforcement authority, how a corporate will appear in court (via counsel) and how it is sentenced if guilty of an offence). Some key law enforcement authorities involved in the regulation, investigation or prosecution of corporates include (not exhaustively) the following:

  • SFO – set up with special powers under the Criminal Justice Act 1987 for the investigation and prosecution of large and complex corporate fraud and corruption;
  • National Crime Agency (NCA) and local police forces – tends to lead investigations involving significant but smaller-scale or less complex fraud or corporate crime, which is then prosecuted by the Crown Prosecution Service (CPS). The NCA’s powers also extend to Northern Ireland;
  • The Police Service of Northern Ireland – investigates crimes within the jurisdiction of Northern Ireland. Crimes are then prosecuted by the Public Prosecution Service of Northern Ireland (PPSNI);
  • The Police Service of Scotland (Police Scotland) – investigates crimes within the jurisdiction of Scotland. Crimes are then prosecuted by the Crown Office and Procurator Fiscal Service (COPFS);
  • HMRC – investigates tax-related offending (including money laundering) throughout the United Kingdom, which is then prosecuted by the CPS, the PPSNI or the COPFS, as appropriate. HMRC is also responsible for the enforcement of export controls;
  • Financial Conduct Authority (FCA) – regulator of the financial services industry. As a regulator, it can impose civil sanctions for misconduct, but may also prosecute regulated firms or individuals for specific market-related offences, such as insider trading and market manipulation and associated money laundering;
  • Competition and Markets Authority (CMA) – investigates anticompetitive behaviour. It may impose civil sanctions but can also prosecute cartel offences;
  • Department for Business, Innovation and Skills (the UK government department became part of the Department for Business, Energy and Industrial Strategy in July 2016) and the Department for Economy (Northern Ireland) – these departments respectively investigate and prosecute activities concerning the affairs of companies, including fraudulent trading and breaches of bankruptcy or disqualification orders;
  • Information Commissioner’s Office – investigates and prosecutes or imposes civil sanctions for data protection offences;
  • Health and Safety Executive (HSE) and Health and Safety Executive for Northern Ireland (HSENI) – the HSE investigates and prosecutes or imposes civil sanctions for health and safety offences. In Northern Ireland, it is the PPSNI (not the HSENI) that brings prosecutions. Prosecutions in Scotland are brought by COPFS;
  • Office of Gas and Electricity Markets (known as Ofgem) – investigates and prosecutes certain criminal offences under legislation focused on the energy sector;
  • Environment Agency, Northern Ireland Environment Agency and Scottish Environmental Protection Agency – investigate and prosecute environmental crime (in Scotland, the prosecution is brought by COPFS and in Northern Ireland by the PPSNI); and
  • UK Office of Financial Sanctions Implementation, a department of Her Majesty’s Treasury – although not a prosecutor, it has significant additional powers to impose financial penalties for breaches of financial sanctions measures.

Police Scotland has a dedicated economic crime unit, but investigations into serious and complex frauds are overseen by COPFS’s economic crime unit. The SFO can also investigate crimes that have occurred in Scotland if they affect other parts of the United Kingdom, but it cannot prosecute cases in or exclusively from Scotland.

There can be concurrent jurisdiction between the SFO and COPFS, particularly with respect to overseas bribery cases and guidance notes, and memoranda of understanding deal with the agreed approaches to co-operation, primacy and guiding principles.

In July 2011, COPFS published its civil settlement guidance, which encourages Scottish and other companies that have committed bribery offences within the jurisdiction of Scotland to self-report to COPFS in return for the opportunity to resolve the case through a civil settlement mechanism. The initiative must be reviewed and approved each year by the Lord Advocate.

In February 2014, following the introduction of DPAs in England and Wales (but not Scotland or Northern Ireland), the SFO and the CPS published a Deferred Prosecution Agreements Code of Practice setting out public interest factors for and against offering a corporate a non-prosecutorial resolution by way of a DPA.

In August 2019, the SFO issued its Corporate Co-operation Guidance as part of its Operational Handbook, which it will use in making charging decisions in relation to allegations of bribery and corruption.

In January 2020, the SFO issued further guidance for corporates and published another chapter of its Operational Handbook entitled ‘Evaluating a Compliance Programme’.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

Law enforcement authorities must have reasonable grounds to suspect that a criminal offence has been committed to exercise their investigative powers; those suspicions may be founded on evidence or intelligence.

The SFO may investigate any suspected offence that appears, on reasonable grounds, to the director of the SFO to involve serious or complex fraud. The SFO’s powers to compel the production of evidence under section 2 of the Criminal Justice Act 1987 can be exercised in any case in which it appears to the director that there is good reason to do so for the purpose of investigating the affairs, or any aspect of the affairs, of any person. The power does not have extraterritorial effect. Additionally, and only in relation to possible bribery and corruption with an international dimension, the SFO may apply a lower test under section 2A of the Criminal Justice Act 1987 to compel the production of evidence if it appears that relevant conduct may have taken place for the purpose of enabling the SFO to decide whether to open a formal investigation.

HMRC has both criminal and civil functions. Its selective criminal investigation policy is a matter of public record.

Criminal investigations into suspected fraud will be considered if civil powers are considered inadequate to address the behaviour or risk, when the severity of the conduct or strong deterrent messaging is required.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

Depending on the authority and type of notice, it may be possible to agree informally on a narrower scope of information to be produced without having to formally challenge the lawfulness or scope. Otherwise the recipient may challenge the lawfulness or scope of the notice or production order by way of application to court. Usually this challenge will be by way of judicial review (in Scotland, a bill of suspension), although under certain statutes it may be possible for the company to seek a hearing before the issuing court or tribunal.

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

There is the possibility of immunity or leniency for individuals who assist or co-operate in the investigation or prosecution of criminal offences.

Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) allows certain prosecutors, including the SFO, to grant any person immunity from prosecution in England and Wales or Northern Ireland by issuing a written immunity notice. This notice, which will specify the criminal offences for which no proceedings can be brought, ceases to have effect if the person fails to comply with the conditions contained in the notice. The use of section 71 is relatively rare.

Section 73 of SOCPA provides a means to incentivise assistance from defendants. A defendant who, pursuant to a written agreement with a relevant prosecutor, has provided, or has offered to provide, assistance to an investigator or prosecutor is eligible to receive a reduction in sentence, provided a guilty plea has been tendered. Judges are required to state in open court the sentence that would have been imposed but for the assistance given or offered, unless it would not be in the public interest to disclose that the sentence has been discounted.

Broadly equivalent principles relating to immunity and leniency apply in Scotland under Part 3 of the Police, Public Order and Criminal Justice (Scotland) Act 2006.

The CMA also operates a leniency policy under which businesses and individuals that provide evidence of cartel activity and co-operate with the CMA’s investigation can benefit from a reduction in or, in some circumstances, complete immunity from penalties.

7 What are the top priorities for your country’s law enforcement authorities?

International corruption and a coordinated global approach to defeat it remains a top priority for the UK government and its law enforcement authorities, together with a desire to harness the expertise of the private sector if the objectives set out in the government’s Economic Crime Plan 2019–2022, published in July 2019, are to be achieved.

Commitment to co-operation with other criminal justice agencies, both domestic and international, is echoed in the SFO’s Annual Report and Accounts 2020–2021, which identifies one of its primary objectives for the year as to ‘develop, and strengthen, constructive relationships with partners both in the UK and internationally’. Strengthening partnerships and exploring opportunities to tackle transnational economic crime in a coordinated and collaborative way remains a priority of the SFO. Equally, intelligence is a key priority, with the SFO’s Intelligence Division undertaking a series of threat assessments throughout 2020 to enable it to respond to the changing landscape of economic crime.

During the coronavirus pandemic, there has been an upsurge in those seeking to exploit the situation and take advantage of the many schemes designed to preserve the economy. Law enforcement agencies, including HMRC, have been keen to send a clear message that frauds abusing coronavirus relief schemes will not be tolerated.

A focus on tax evasion led to the introduction of the corporate criminal offence of failing to prevent the facilitation of tax evasion, which came into force in September 2017, and there have been increasing calls to extend the ‘failure to prevent’ offences to include a schedule of broader economic crimes, such as fraud and money laundering. In November 2020, the government asked the Law Commission to publish a paper providing an assessment of different options for reform. This project is now under way, with the Law Commission reviewing the law relating to the criminal liability of non-natural persons, including companies, and providing options for reform.

A further focus is increased transparency of the beneficial ownership of foreign companies investing in UK property or bidding for government contracts. The UK government seeks to make public registers the global norm by the end of 2023 and, on 1 September 2021, restated its commitment to these transparency objectives. Until the public registers are in place, agencies such as HMRC, the SFO and the NCA make use of a comparable ‘exchange of notes’ requesting protocol.

Effective from 31 January 2018, the Criminal Finances Act 2017 introduced unexplained wealth orders (UWOs) in respect of politically exposed persons or others suspected of involvement in serious crime. UWOs are high court orders following an application from enforcement authorities, such as the FCA, the NCA, the SFO or HMRC, and may be accompanied by an interim freezing order. The respondent is required to set out the nature of interest in the specified property (which must be valued at more than £50,000) and how it was obtained. Failure to respond without a reasonable excuse is met with a presumption that property is recoverable. It is a criminal offence to make reckless or false statements, for which there is a maximum two-year prison sentence and fine. UWOs have been used in four cases, only one of which (based on publicly available information) has resulted in recovery of the assets.

On 27 July 2021, the UK government published its Beating Crime Plan, which includes building capability to deal with fraud, cyber and online crime. It follows the issue by the CPS of its Economic Crime Strategy in March 2021, which set outs its five-year plan focusing on fraud, bribery and corruption, money laundering, terrorist financing, sanctions and market and regulator abuse. Likewise, fraud featured heavily within the FCA’s Business Plan 2021–2022, published in July 2021, which explained how the FCA sees its future role and priorities. As part of its Beating Crime Plan, the UK government announced that it will replace Action Fraud, its current national reporting centre for fraud and cybercrime, with an improved national fraud and cybercrime reporting system, and increase intelligence capabilities within the NCA and the national security community to identify the most harmful criminals and organised criminal gangs.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

The ‘failure to prevent’ offences introduced by the Bribery Act 2010 and the Criminal Finances Act 2017 require corporates to establish, to a civil standard, that they have ‘adequate’ (bribery) or ‘reasonable’ (facilitation of tax evasion) prevention procedures in place if they are to avail themselves of the statutory defence. The government has introduced high-level guidance in respect of each enactment to assist corporates and their advisers in assessing what might be considered adequate or reasonable.

Each set of guidance references six principles that should inform an effective compliance programme: top-level commitment; risk assessment; proportional risk-based procedures; due diligence procedures; communications and training; and monitoring and review. In respect of Criminal Finances Act offences, sector-specific guides have also been issued by The Law Society of England and Wales and the financial services sector (and ratified by the government).

The aforementioned six principles provide a useful framework in which to assess the effectiveness of a corporate’s compliance programme; however, they are not intended to be prescriptive. A compliance programme should be risk-based and proportionate to the respective risks a company may face.

In January 2020, the SFO published its Guidance on Evaluating a Compliance Programme (the Guidance), which is part of its internal Operational Handbook. The Guidance endorses the six principles outlined above and reiterates that corporates are expected to keep their compliance programmes under review to ensure that they are ‘genuinely proactive and effective’ and not just a ‘paper exercise’.

According to the Guidance, the SFO will consider the effectiveness of a corporate’s compliance programme at various stages of an investigation (and, in some cases, after an investigation has concluded). Examples given include whether (1) prosecution is in the public interest, (2) an organisation should be invited to negotiate a DPA, and (3) an organisation has a defence of ‘adequate procedures’ available against a charge of failure to prevent bribery.

In the context of a DPA, a compliance programme is relevant not only to the assessment of a corporate’s suitability for a DPA (a corporate that has implemented a ‘genuinely proactive and effective’ compliance programme is more likely to be viewed as having reformed and rehabilitated itself), but also the appropriateness of the proposed terms (including monitoring requirements).

The Airbus SE DPA approved in January 2020 illustrates the importance of remedial efforts as a condition for any corporate wishing to engage in the DPA process. During the period covered by the DPA, Airbus SE had extensive anti-bribery policies in place and had even secured independent certification in 2012. However, the company accepted that weaknesses in oversight had enabled its compliance measures to be circumvented. Once the wrongdoing was identified, Airbus SE overhauled its compliance programme (seemingly with reference to the six principles referred to above). This resulted in the company putting in place the following remedial steps:

  • redesigning its compliance structure and oversight mechanisms;
  • rolling out improved and strengthened due diligence processes;
  • launching a required company-wide anti-bribery and corruption risk assessment;
  • bringing in a newly elected management team; and
  • launching internal investigations into the actions of existing and former employees.

When approving the DPA, the court cited these extensive steps, recognising that the overhaul to the management and compliance structure of the business left it ‘a changed company to that which existed when the wrongdoing occurred’. This contributed to a 50 per cent reduction in the financial penalty imposed by the DPA.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities in your country to cybersecurity-related failings.

Cybersecurity is regulated through a number of statutory regimes. Following the UK’s departure from the European Union, on 1 January 2021, Regulation (EU) 2016/679 (the General Data Protection Regulation) (GDPR)) technically ceased to have effect. However, in practical terms, a UK version came into force, which carries much of the EU legislation into UK law, by virtue of the European Union Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. The new legislation upholds the requirement that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’. Accordingly, organisations that process personal data must have sufficient cybersecurity measures in place to protect against attack. There are mandatory reporting obligations in place where certain attacks happen. The Data Protection Act 2018 (the DP Act) then sits alongside the UK’s data protection legislation. The GDPR may also still apply directly to those companies who operate, offer services and goods to individuals, or monitor the behaviour of individuals in the European Union.

Fines have been substantially increased under the GDPR, to up to 4 per cent of annual global turnover or €20 million (whichever is higher) – the UK legislation converts the monetary maximum to £17.5 million, and the Information Commissioner’s Office (ICO) has indicated that it intends to use the full force of its powers for the most serious breaches. On 16 October 2020, the ICO issued a monetary penalty notice against British Airways for a data breach affecting more than 400,000 customers, applying the Regulatory Action Policy to determine the appropriate level of fine (£20 million). Just a month later, the ICO issued a monetary penalty notice against Marriott International Inc for £18.4 million after a breach led to the records of around 339 million guests worldwide being affected.

Cybersecurity has far-reaching consequences, however, and a range of other regulators also require notification following a cybersecurity incident; these include the Financial Conduct Authority, the Charity Commission and other professional regulatory bodies.

Cybersecurity is woven into a range of other statutory regimes. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended) regulate providers of public electronic communication services. Service providers are similarly required to take appropriate technical and organisational steps to safeguard the security of their service. The PECR also have mandatory reporting obligations but impose a shorter time frame than the GDPR; within 24 hours of becoming aware of the essential facts. Under the UK’s data protection legislation, mandatory personal data breach reports must be made within 72 hours of becoming aware of a breach. Powers open to the ICO in enforcing the PECR include criminal prosecution and a fine of up to £500,000.

Additionally, the Network and Information Systems Regulations 2018 (the NIS Regulations), which came into force on 10 May 2018, govern the threat posed to essential network systems and seek to improve the functioning of the digital economy. The NIS Regulations apply to operators of essential services and relevant digital service providers. They follow a similar principles-based approach to the GDPR, requiring systems operators to ensure appropriate and proportionate technical and organisational measures so as to manage risks to the security of a network.

The United Kingdom has opted to regulate network and information systems according to sector, and there are therefore a range of ‘competent authorities’ that act as regulators, depending on the specific sector. The NIS Regulations provide for mandatory incident reporting, with a time limit of 72 hours (from becoming aware) for reporting any incident that has a significant effect on the continuity of the essential service. A breach of the Regulations can result in a fine of up to £17 million.

Finally, with the increasing cyber threat from ransomware globally, the National Crime Agency is participating as part of a broad coalition of experts in industry, government, law enforcement and international organisations as part of a Ransomware Task Force, which has launched a comprehensive framework to combat ransomware.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

The main regulations relating to cybercrime are the Computer Misuse Act 1990 (the CMA 1990), the DP Act and the Cyber Attacks (Asset Freezing) Regulations 2019 (the 2019 Regulations).

The CMA 1990 has been amended to take account of the developing nature of cybercrime. Offences can be tried summarily or on indictment with a range of maximum sentences, depending on the offence committed.

Although prosecutions have been made over many years pursuant to the CMA 1990, the ICO secured its first conviction in November 2018. The prosecution was followed by an application under the Proceeds of Crime Act and a confiscation order.

The domestic legislation that sits alongside the GDPR is the DP Act, section 170 of which makes it an offence to knowingly or recklessly obtain, disclose, procure or retain personal data without the consent of a data controller and, on indictment, the maximum sentence is an unlimited fine. The offence slightly augments that under the previous legislation (the Data Protection Act 1998). Prosecutions being brought by the ICO currently tend to be pursuant to the 1998 Act in view of the time it takes to investigate and prosecute an offence.

Proceeds of crime legislation can be used as part of the enforcement toolkit; in June 2019, for example, the ICO secured the conviction of a former managing director of a claims management company who had unlawfully obtained and sold personal data. He was sentenced to a fine of £1,050 but the benefit derived from the illegal activity was valued at £1,434,679.60. In view of the defendant’s lack of assets, a nominal £1 order was made. That action required the ICO to work in partnership with other agencies; however, on 28 June 2021, the ICO obtained additional powers pursuant to the Proceeds of Crime Act 2002 (References to Financial Investigators) Order 2021, which enable accredited financial investigators to conduct investigations, apply for restraint orders directly and carry out search and seize exercises.

Aside from unauthorised access and use of information, cybercriminals also deploy ransomware to secure a ransom demand. The aim of the 2019 Regulations, which came into force on 11 June 2019, is to address this. Measures under the 2019 Regulations include sanctions, restrictive measures and offences connected with cyberattacks threatening the European Union or its Member States.

The 2019 Regulations apply to UK nationals or any body incorporated in the United Kingdom. They have extraterritorial effect, and their measures are also applicable to conduct wholly or partly outside the United Kingdom that is perpetrated by a UK national, or a body incorporated or constituted under UK law.

The 2019 Regulations restrict interactions with ‘designated persons’ (adopting a similar approach to sanctions regimes). Dealing with or making funds available to such persons is a criminal offence. The maximum sentence under the 2019 Regulations is an unlimited fine, seven years’ imprisonment, or both. At the time of writing, eight natural persons and four legal entities have so far been designated.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

The jurisdictional basis of criminal law is generally territorial, as an offence will only be triable in the jurisdiction in which it takes place unless there is a specific provision to the contrary, for instance where specific statutes enable the UK courts to exercise extraterritorial jurisdiction.

Some examples of exceptions are worthy of note. First, under general common law principles, if a substantial part of an offence occurs in the United Kingdom (even if other parts occur outside the territory), the UK courts can have jurisdiction.

Second, under Part I of the Criminal Justice Act 1993, certain fraud, theft, forgery, false accounting, blackmail and cheat offences are triable in England and Wales if a relevant event, or part of the wrongful act within an offence, has occurred in England or Wales. The extension of jurisdiction under this statute also applies to attempts and conspiracies to commit these defined offences.

Third, the Bribery Act 2010 (and prior bribery and corruption legislation) has important provisions to allow law enforcement to investigate and prosecute cases of overseas corruption. A feature of the extraterritorial effect of the Bribery Act 2010 is that it applies to substantive corruption offences in which the acts and omissions are entirely outside the United Kingdom, if these involve UK nationals, others ordinarily resident in the United Kingdom or UK companies, among other defined categories of a party with a close connection to the United Kingdom. The failure to prevent an offence also applies worldwide to corporates that carry on part of their business in the United Kingdom, whether their headquarters are in the United Kingdom or elsewhere.

Sections 45 and 46 of the Criminal Finances Act 2017 followed the ‘failure to prevent’ model pioneered by the Bribery Act 2010 and created corporate offences of failing to prevent the facilitation of UK or foreign tax evasion. The facilitation of UK evasion will be investigated by Her Majesty’s Revenue and Customs, whereas facilitation of foreign tax evasion may be investigated by either the Serious Fraud Office (SFO) or the National Crime Agency (depending on complexity). The offences are extraterritorial in nature, albeit the foreign offence requires a UK corporate nexus and dual criminality in respect of the conduct comprising the tax evasion and the facilitation. It is anticipated that the agencies will work together to develop a uniform understanding of how these offences should be superintended.

In February 2019, the Crime (Overseas Production Orders) Act 2019 received royal assent, allowing UK law enforcement agencies to apply for a court order with extraterritorial effect (an overseas production order), to obtain data stored electronically, directly from communication service providers based outside the United Kingdom.

In October 2020, the Supreme Court heard the appeal in R (KBR Inc) v. Director of the Serious Fraud Office and confirmed that a SFO Section 2 Notice does not have extra­territorial effect.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

The challenges of dealing with cross-border investigations arise from inconsistencies in the approaches of the various law enforcement agencies and the application of different laws in the relevant jurisdictions.

The principal issues are:

  • the differences in the scope and application of legal professional privilege between the jurisdictions, and ensuring that privilege is adequately protected when dealing with document or information requests from the various authorities or when conducting the internal investigation;
  • the differences in data protection laws in each jurisdiction, and ensuring that breaches do not occur in the gathering and transferring of data between jurisdictions for the purposes of the internal investigation or responding to requests from a law enforcement authority;
  • whether any of the jurisdictions impose a positive statutory obligation to make a formal report once the corporation becomes aware, or begins to suspect, that a crime has been committed (Northern Ireland and Scotland have additional statutes that impose reporting duties that apply in addition to laws that apply UK-wide);
  • identifying which authorities may claim that the offending conduct occurred in their jurisdiction as a result of the fact that, with cloud-based communications (email, WhatsApp, iMessage, etc.), offending behaviour, and its impacts, can occur in more than one location;
  • whether evidence-sharing or mutual assistance treaties exist between the relevant jurisdictions;
  • differing rules surrounding the admissibility of intercepted communications; and
  • whether there are sensitivities between the authorities in the various jurisdictions, for example, whether one authority is taking precedence, and if so whether the other authorities accept that position.

Since the expiry of the transition period following the UK’s departure from the European Union, the gateways and procedures for sharing intelligence for the purposes of law enforcement co-operation, and entering into joint investigation teams are no longer available to the United Kingdom. Instead, the EU–UK Trade and Cooperation Agreement (TCA), agreed on 24 December 2020, will allow the United Kingdom to use a fast-track process to request extradition of EU nationals (similar to that available to Iceland and Norway), although the process will be more limited than that available under the existing European Arrest Warrant regime. Part 3 of the TCA, containing law enforcement and criminal justice co-operation provisions, includes new arrangements on the sharing of DNA, fingerprint and airline passenger information. However, UK investigators will lose direct, real-time access to sensitive EU databases, such as the Second Schengen Information System, the most widely used automated criminal database in Europe. The United Kingdom has also lost access to the European Criminal Records Information System and will, under the TCA, now have to wait for up to 20 days to obtain the criminal records of EU residents.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The existence of the principle of double jeopardy means that a corporation cannot be prosecuted a second time in the United Kingdom for the same or similar offences on the same facts following a legitimate acquittal or conviction, or other appropriate disposal, such as a deferred prosecution agreement (DPA), by a UK court.

However, the protections for corporates worldwide in relation to double jeopardy principles are more varied and likely to be an area of discussion with law enforcement authorities when a corporate is involved in cross-border investigations in multiple jurisdictions. If the predicate offending has been disposed of in one jurisdiction, double jeopardy will not preclude UK authorities from prosecuting ancillary or incidental offences, such as record-keeping or money laundering offences that occurred in the United Kingdom. Nevertheless, there is scope to engage with international law enforcement agencies with close ties to UK enforcement agencies or mutual legal assistance arrangements with the United Kingdom (or both) to ensure that, in practice, one agency takes primary responsibility for the investigation and enforcement, to avoid any undue prejudice when a case spans multiple jurisdictions. Notwithstanding this, frequently corporates will be expected to respond to enquiries simultaneously from agencies inside and outside the United Kingdom, and there are no general, formal rights on the part of a company to seek to stay a UK investigation pending the outcome of a foreign investigation or set of criminal proceedings that may have commenced prior to the UK law enforcement agencies becoming involved.

There is no UK policy analogous to the ‘anti-piling on’ policy that exists in the United States. However, in situations of concurrent jurisdiction, there are memoranda of understanding between the various law enforcement and regulatory authorities in the United Kingdom. These provide a framework for co-operation between organisations that have (or may have) jurisdiction to prosecute an offence and for determining ‘primacy’ to investigate and prosecute offences.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

Global settlements are becoming increasingly common. In November 2015, a DPA was agreed between the SFO and Standard Bank PLC, which was coordinated with the settlement between Standard Bank and the US Securities and Exchange Commission.

In January 2020, the SFO entered into a record-breaking DPA with the global aerospace company Airbus SE. This is the world’s largest global resolution for bribery to date.

In June 2021, Scotland-based engineering company John Wood Group reached a US$177 million global bribery settlement with authorities in the United States, the United Kingdom and Brazil, concluding legacy bribery and corruption investigations into Amec Foster Wheeler companies.

The SFO will also reference the assistance it receives from foreign authorities at the conclusion of any successful prosecution.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

Law enforcement authorities generally seek to co-operate with counter­parties in foreign jurisdictions. Usually at the outset of an investigation, the authorities will agree whether one jurisdiction should take precedence in the investigation and prosecution of the matter (e.g., if the majority of the alleged misconduct took place in that jurisdiction or in the jurisdiction of incorporation) or agree which aspect of a larger cross-border enquiry involving a corporate each will lead on if the case involves a number of components.

Even if it is agreed that the predicate offending in a matter should be prosecuted in one particular country, incidental offences, such as books and records offences, can still be prosecuted in the other jurisdictions.

Ultimately, UK authorities are responsible for the conduct of their own investigations and prosecutions. The extent to which a decision by a foreign authority would influence a UK investigation will depend on the particular facts of the matter, the relationship between the UK and foreign authorities, and the relationship between the United Kingdom and the other country on a state or institutional level.

DPAs agreed in the United Kingdom often also include terms that require the recipient to provide co-operation with the SFO on all investigations and pre-investigations and prosecutions for the term of the DPA, including co-operation with foreign law enforcement and regulatory authorities or agencies on all matters relating to the conduct in question.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

On 31 December 2020, the United Kingdom introduced autonomous sanctions regimes following its departure from the European Union. These UK regimes are introduced under the Sanctions and Anti-Money Laundering Act 2018.

Prior to 31 December 2020, with the exception of domestic sanctions focused on counterterrorism, sanctions in the United Kingdom stemmed from the European Union (including those implementing the sanctions imposed by the United Nations).

The UK and EU sanctions regimes broadly align although they are not identical. For example, the UK concepts of brokering and finance-related services extend explicitly to activities beyond the EU counterparts. The United Kingdom also maintains a sanctions regime, under the Global Anti-Corruption Sanctions Regulations 2021, to prevent and combat serious corruption, while at present there is no EU equivalent.

The main types of sanctions the United Kingdom imposes are:

  • trade sanctions, including restrictions relating to certain items (most commonly military and dual-use items and those that can be used for internal repression or to monitor and intercept communications), certain sectors and the provision of certain services (these sanctions are in addition to the UK’s general export control laws);
  • financial sanctions, including asset freezes; and
  • immigration sanctions, known as travel bans.

There may be specific exceptions under which it is possible to engage in an activity that would otherwise be prohibited. It may also be possible to get a licence or authorisation permitting activities that would otherwise be prohibited, although they are generally available in limited circumstances.

A principle of sanctions regimes is the prohibition on knowingly and intentionally participating in activities that have the object or effect of circumventing any sanctions laws or enabling or facilitating the contravention of those laws.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

The Department for International Trade implements trade sanctions and other trade restrictions. Her Majesty’s Revenue and Customs has primary responsibility for the enforcement of export controls. The UK Office of Financial Sanctions Implementation (OFSI), which is part of HM Treasury, implements and enforces financial sanctions. The Home Office implements and enforces immigration sanctions.

The potential consequences for breaching sanctions laws are severe, including unlimited criminal fines, periods of imprisonment for individuals, the disgorgement of any profits and reputational damage.

The 2017 Policing and Crime Act introduced civil penalties for breaches of financial sanctions, available in cases where it is not in the public interest to prosecute.

To date, OFSI has imposed five civil penalties, against Raphaels Bank (February 2019), Travelex (UK) Ltd (May 2019), Telia (October 2019), Standard Chartered (April 2020) and TransferGo Limited (August 2019). The imposition of the penalty against TransferGo Limited demonstrated that a failure to appreciate the application of financial sanctions is no defence.

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

Prior to its departure from the European Union, the United Kingdom had a leading role in developing the EU sanctions policy. There are instances in which the United Kingdom has coordinated the sanctions that it imposes with, most commonly, the European Union, Canada and the United States.

OFSI has an international engagement branch that is leading an ‘initiative to help promote robust financial sanctions implementation on the world stage, not only through bilateral and multilateral meetings/events but also through technical assistance to other governments’.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Council Regulation (EC) No. 2271/96 protecting against the effects of the extraterritorial application of legislation adopted by a third country and actions based thereon or resulting therefrom (the EU Blocking Regulation) forms part of the retained EU law applying in the United Kingdom.

The EU Blocking Regulation currently applies to certain sanctions imposed by the United States in respect of Cuba and Iran (referred to as the listed extraterritorial sanctions). The Regulation was updated in August 2018 following the United States’ withdrawal from the Joint Comprehensive Plan of Action known as the ‘Iran deal’.

The EU Blocking Regulation has the following four main components:

  • UK persons (UK nationals and UK-incorporated entities) and those in the territory of the United Kingdom are prohibited, without authorisation from the Secretary of State for International Trade, from complying, either directly or through a subsidiary or other third party, actively or by deliberate omission, directly or indirectly, with any requirement or prohibition with the listed extraterritorial sanctions.
  • UK persons whose economic or financial interests are directly affected by the listed extraterritorial sanctions must inform the Secretary of State for International Trade of this within 30 days. In the case of UK businesses, the reporting obligation rests with directors, managers and others with managerial responsibility.
  • Judgments or decisions of non-UK courts, tribunals or administrative authorities giving effect to the listed extraterritorial sanctions are not enforceable in the United Kingdom. This is intended to shield UK persons from, for example, the effects of any decision requiring seizure or enforcement of any penalty in the United Kingdom based on the listed extra­territorial sanctions.
  • UK persons ‘engaging in international trade and/or the movement of capital and related commercial activities between the UK and third countries’ are entitled to recover damages for harm caused to them by the application of the listed extra­territorial sanctions. Recovery can take the form of seizure and sale of the assets of the persons causing the damage, their representatives or intermediaries.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

It is a criminal offence to breach the prohibition or fail to comply with the reporting obligation provided in the EU Blocking Regulation. This offence is punishable by an unlimited fine.

If a UK national or incorporated entity wishes to comply with any listed extra­territorial sanctions in the Blocking Regulation, authorisation must first be obtained from the Secretary of State for International Trade. In considering applications, the Secretary of State will consider the 14 criteria set out in Commission Implementing Regulation (EU) 2018/1101. Authorisation is effective on the date when it is notified to the applicant.

To date, no UK nationals or UK-incorporated entities have been prosecuted for a breach of the EU Blocking Regulation.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

In addition to the normal means for identifying misconduct, such as audits, assurance procedures and whistleblowing, UK companies can become aware of allegations of misconduct through insolvencies, cybercrime or data breaches (e.g., the Unaoil and Panama Papers cases) and due diligence carried out in relation to commercial transactions, including mergers and acquisitions.

Allegations may also arise in hearings, such as employment tribunals and litigation proceedings.

Information gathering

22 Does your country have a data protection regime?

The United Kingdom implemented the Data Protection Act 2018 (the DP Act) to complement the EU General Data Protection Regulation (GDPR). The GDPR has direct effect across all EU Member States and applies directly to all organisations processing personal data within the Union. However, it allows each Member State limited opportunities to make provisions for how it applies in that country. The DP Act essentially provides the details of local derogations, such as law enforcement processing. The two must therefore be read side by side. This new legislation supplements existing UK laws such as the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000, and directly applicable EU legislation, such as the Privacy and Electronic Communications Regulations.

Since the departure of the United Kingdom from the European Union, primarily, data protection is governed by the European Union Act 2018, The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the DP Act. The UK data protection legislation succeeds the GDPR and must be read alongside the DP Act. This legislation supplements existing UK laws such as the Freedom of Information Act 2000, the Regulation of Investigatory Powers Act 2000, Investigatory Powers Act 2016 as well as legislation such as the Privacy and Electronic Communications Regulations. However, on 10 September 2021, the UK government launched a consultation on proposed reforms to the UK data protection regime (‘Data: a new regime’).

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

The power for enforcement of the data protection regime rests with the Information Commissioner’s Office (ICO). The ICO has a range of enforcement powers, the most notable being the imposition of large fines. However, in addition to this power to issue fines, the ICO has a range of other powers, including information notices, assessment notices, enforcement notices, and statutory powers of entry and inspection. In June 2021, the ICO gained new powers pursuant to the Proceeds of Crime Act 2002 (References to Financial Investigators) Order 2021 to enable it to apply for restraint orders as well as to carry out search and seizure exercises where it believes cash has been obtained through, or intended for use in, criminal activities.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

Typically, a considerable amount of evidence will be reviewed in the course of any internal investigation and must be handled carefully to ensure compliance with the DP Act. It is very likely that it will be necessary to conduct a data privacy impact assessment before processing any information. Decisions taken with regard to the processing and disclosure of data should be made in accordance with the DP Act, and all reasons for those decisions should be documented. If any of the data reviewed contain or may contain personal data, particularly sensitive personal data (now ‘special categories’), extra care should be taken. Firms should seek legal advice with regard to what additional measures should be taken in relation to this material. This includes whether redaction of any personal information is required and whether this would be an appropriate mechanism to avoid any data protection breaches.

Further, extra care should be taken in circumstances where there may be a transfer of the data outside the United Kingdom and European Union. Data flows between Europe and the United Kingdom are permissible as the EU Commission published, on 28 June 2021, two adequacy decisions in respect of the United Kingdom. However, transfer of personal data to the United States needs particular review following the European Court of Justice decision in the Schrems II case (July 2020), which invalidated the EU–US Privacy Shield. International transfers generally have also been affected by Schrems II, as the case had some further implications for the use of the EU Standard Contractual Clauses (SCCs). The ICO has published a draft UK addendum alongside a new draft international data transfer agreement, which is effectively the UK equivalent of the EU SCCs. The European Data Protection Board has recommended that firms conduct a risk assessment as to whether SCCs provide enough protection within the local framework, whether the transfer is to the United States or elsewhere.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

A range of factors must be taken into account when considering the monitoring of employee communications. These typically fall into two categories:

  • reviewing emails sent and received by an employee; and
  • intercepting emails before receipt.

In relation to the review of emails sent and received by an employee, the situation broadly involves considerations under the GDPR, the DP Act and the Human Rights Act 2000. The processing of emails through review will require an employer to consider the extent to which it can satisfy a lawful condition of processing under the GDPR with balancing the data subject and privacy rights. However, consent is not typically a basis on which the processing would take place as, under the GDPR, consent has to be given freely and the ICO has stated that it is unlikely that consent could be so considered in an employer–employee relationship in view of the imbalance of power.

If monitoring does take place, this will often be overt monitoring, in that the employer will set out in its information technology use and privacy policies that it retains the right to access emails and messages sent and received on devices used by employers.

The ICO issued guidance prior to the implementation of the GDPR. As yet this has not been updated but recommends that covert monitoring takes place only in exceptional circumstances; for example, for the detection of crime.

It is essential, if monitoring is taking place, that the employer ensures that it is proportionate and undertaken only for as long as is necessary.

The GDPR sets out circumstances in which it is mandatory to conduct a data protection impact assessment, which includes assessing when processing is likely to result in a high risk to data subjects. As a matter of good practice, it may be prudent to work through a risk assessment prior to processing even when the high threshold has not been triggered, so that essential security and data minimisation measures are considered and adopted where necessary.

Up to 27 June 2018, the Provisions of the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) governed the interception of electronic communications during transmission. These have been replaced by the Investigatory Powers Act 2016 (IPA) and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (SI 2018/356) (the 2018 Regulations).

Under the IPA, it is a criminal offence to intercept communications without lawful authority. Although the 2018 Regulations include the detection of crime as authorised conduct in certain circumstances, given the criminal implications of interception without proper authority, every case must be assessed on its merits to ensure that the relevant standards are met.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Authorities that investigate corporate crime, such as the Serious Fraud Office (SFO) or Her Majesty’s Revenue and Customs (HMRC), often conduct dawn raids of business or residential premises under the authority of a search warrant issued by a court. A raid is often undertaken in conjunction with a local police force.

When a raid is carried out under a warrant (searches without warrant are permissible subject to overarching statutory controls), the authority may only search the premises specified in the warrant.

In England, Wales and Northern Ireland, certain categories of material, such as confidential journalistic material or personal records created in the course of a business (e.g., patient records in a medical practice) cannot be seized during a raid without additional authorisations being obtained, in some circumstances from particular courts. Different rules apply in Scotland.

In the United Kingdom as a whole, legally privileged material cannot be seized unless it was created with the intention of the furtherance of a crime (the crime-fraud exception) or is inextricably linked to other, seizable material. If that is the case, material can be seized but must be sifted to exclude as far as possible any privileged material from the investigating team at the law enforcement agency. In England and Wales, a typical approach is for material subject to a claim of legal privilege to be examined by an independent lawyer before it is examined by the investigating team (and any privilege material excluded). The use of this power is also subject to the Criminal Justice and Police Act 2001, which entitles a corporate’s legal representative to be present at a review of the material and apply to a judge for the material to be returned. In Scotland, there is no statutory framework for dealing with privilege issues and it may be necessary to apply to the courts for the seizure of privilege material to be suspended.

The Competition and Markets Authority (CMA) may conduct a dawn raid of business premises without a warrant.

Some authorities have additional powers that can be exercised during a dawn raid; for example, the SFO and the CMA may compel a person to answer questions relevant to the search, such as regarding the location of certain documents. These powers, and equivalent sanctions, are mirrored by means of disclosure notices issued pursuant to sections 60 to 70 of the Serious Organised Crime and Police Act 2005, although the prosecutor rather than the investigator must sanction the use of these notices.

If there are significant errors in either the process of obtaining a warrant or authorising a raid, or in the execution of a raid, the warrant can be challenged by judicial review and rendered unlawful and the material seized during the raid could be rendered inadmissible or returned to the subject.

The Law Commission is reviewing the law governing search warrants. A consultation on the issue closed on 5 September 2018. In a report laid before Parliament in October 2020, the Commission made 64 recommendations to strengthen law enforcement powers, improve the search warrant process, clarify the rules around electronic material and strengthen safeguards for those being investigated.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

As a general rule, legally privileged material cannot be seized during a dawn raid unless the crime-fraud exception applies or where it is inextricably linked to seizable material, in which case other safeguards should be adhered to. These include the sifting of material, by an independent legal team, to exclude as far as possible any privileged material from the investigating team at the law enforcement agency. However, should certain competition investigations also involve the European Commission, note that it does not regard advice from in-house lawyers as legally privileged. Following the United Kingdom’s departure from the European Union, the Commission can no longer conduct dawn raids in the United Kingdom nor request that the CMA does so on its behalf (other than in relation to cases brought prior to the end of the transition period). If there is any co-operation between the CMA and European Commission, the CMA would conduct the raid and UK rules on privilege would apply. The European Commission can still send information requests to UK companies under Article 18 of Council Regulation (EC) No. 1/2003 on the implementation of the rules on competition and, where those requests ask for documents containing legal advice, the Commission’s approach to privilege would apply.

In England, Wales and Northern Ireland, the authorities that investigate corporate crime are routinely accompanied during raids by an independent lawyer specifically tasked with reviewing on-site any material that a company asserts as privileged. It is important, therefore, to be aware of where privileged material is likely to exist so that assertions can be made before items are seized.

If there is a dispute regarding privilege that cannot be resolved in situ, the authority will seize the material by sealing it in an opaque bag for review by an independent lawyer or the court at a later date. The company is entitled to have its legal representative present during that review.

Digital devices containing both privileged and non-privileged items that cannot be separated may be seized or imaged during a raid. In practice, the privileged material will then be quarantined by digital forensic experts within the authority by applying search criteria provided by the company.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

In England, Wales and Northern Ireland, there is a qualified right of silence when being interviewed as a suspect, and a defendant in a criminal trial has a right not to give evidence. In both situations, the right is qualified as, in certain circumstances, adverse inferences can be drawn from this silence.

However, in Scotland the right to silence is not qualified and no negative inference can be drawn from an interviewee’s refusal to answer questions.

A right of silence does not apply when an authority such as the SFO, Financial Conduct Authority or CMA (or HMRC or the police when powers under the Serious Organised Crime and Police Act 2005 are in play) exercises specific statutory powers by issuing a notice compelling a witness to answer questions or produce documents. Failure to comply with such a notice without a reasonable excuse can constitute a criminal offence. However, the contents of a compulsory interview under these powers cannot be used against the individual except in a prosecution specifically for making a false or misleading statement in that interview.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

The Public Interest Disclosure Act 1998 and the Public Interest Disclosure (Northern Ireland) Order 1998, as amended, combined with the Employment Rights Act 1996 and the Employment Rights (Northern Ireland) Order 1996, offer statutory protections to whistleblowers.

It should be noted that the protection afforded for whistleblowers is wider than the typical definition of ‘employee’ or ‘worker’. There are a number of individuals who are now included for protection who would not normally be, including: homeworkers; self-employed doctors, dentists, ophthalmologists and pharmacists in the National Health Service (NHS); agency workers; police officers; student nurses and student midwives; job applicants in the NHS. It has also been held that an equity partner in a limited liability partnership law firm was a worker for whistleblowing purposes (Clyde & Co LLO v. Bates van Winkelhof [2014] UKSC 32). It was also held in Gilham v. Ministry of Justice [2019] UKSC 44 that judges, as office holders, should be afforded the protection, which could have implications regarding protection for other office holders.

The dismissal of an employee will be automatically unfair if the principal reason for dismissal is that the individual has made a qualifying ‘protected disclosure’. Workers (as defined above) and employees are also protected from detrimental treatment (e.g., harassment, reduction in pay or dismissal) on the ground that they have made a qualifying protected disclosure.

There is no requirement for a minimum period of service nor is there any financial cap on the amount of compensation that can be awarded. An employee alleging automatic unfair dismissal on the grounds of being a whistleblower may make an immediate application for interim relief, which may result in effective reinstatement. A successful automatic unfair dismissal claim could also result in the individual being reinstated as an employee, although this is rare.

There are no financial incentive schemes in the United Kingdom for whistleblowers.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Suspension pending investigation

Employment legislation does not specifically deal with suspension but case law and guidance issued by the Advisory, Conciliation and Arbitration Service (ACAS, a public body funded by the UK government), in the form of the ACAS Code of Practice on Disciplinary and Grievance Procedures (the ACAS Code), requires that employees be suspended only when this is necessary and that the period of suspension be as short as possible and kept under review. Employees should be informed, preferably in writing, of the nature of the allegations made against them (whether in relation to an internal or external investigation) and, in most cases, suspension should be on full pay and with no loss of benefits. Any failure to follow these principles can result in a breach of the ACAS Code and could be a repudiatory breach of contract. In Northern Ireland, similar provisions apply, pursuant to the Labour Relations Agency, Code of Practice on Disciplinary and Grievance Procedures (the LRA Code). An employee should not be suspended for having raised a protected disclosure as this could be deemed a detriment. When it is necessary to suspend any employee alleged of misconduct, the employer should check whether it has an express right (or, depending on the industry, an implied right) to suspend the employee as, without this, there could be a breach of contract.

The right to a fair hearing

The disciplinary process should be carried out in accordance with the ACAS Code. As a minimum, it should include an investigation to establish the facts before proceeding to a disciplinary hearing (assuming there is a case to answer). In good time ahead of a disciplinary hearing, the employee must be informed of the allegations against him or her and the right to be accompanied at the hearing by a colleague or a trade union representative. During the hearing, the accused should be given a full opportunity to answer the allegations before any decision is made by the employer.

Employers should carry out their own disciplinary process irrespective of any third-party finding of guilt (e.g., by the police). The employer is still required to follow a fair disciplinary process (in accordance with the ACAS Code) as far as possible. As stated above, in Northern Ireland, compliance with the LRA Code (rather than the ACAS Code) is required but also note that, unlike in Great Britain, statutory dismissal procedures have been retained.

These requirements can be relaxed when employees do not have the requisite length of service with their employer to bring an unfair dismissal claim (two years in Great Britain and one year in Northern Ireland); however, it is best practice to follow a fair process in dismissals, to avoid allegations of whistleblowing or discriminatory treatment.

The right not to be unfairly dismissed

All employees with the requisite length of service have the right not to be unfairly dismissed. In the case of a successful claim, an employment tribunal can order reinstatement or re-engagement, or award compensation. In most cases in Great Britain, compensation is capped at one year’s pay or £89,493 (whichever is lower) plus a basic award of up to £16,320. In Northern Ireland, the one-year pay cap does not apply and unfair dismissal compensation is capped at £89,669, plus a basic award of up to £16,980, although in certain situations, employees can argue that this compensation cap should be disapplied.

The requirement for length of service and the statutory caps on compensation do not apply when the employee successfully alleges that the principal reason for dismissal is that the individual made a qualifying protected disclosure.

Company director considerations

Directors may also be employees (in which case the above will apply in tandem with any specific issues regarding directors’ duties). A director who is not an employee (i.e., a non-executive director) will not be subject to the above rules. However, directors are subject to general duties, which are set out in the Companies Act 2006, contained within a company’s articles and may also be set out in any letter of appointment. The company’s articles and any relevant letter of appointment will include provisions regarding the removal of a director who has acted in breach of one or more of his or her duties under the Companies Act. There are additional regulations that apply to directors of public companies.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

Rights regarding suspension, the right to a fair hearing and the right not to be unfairly dismissed all apply to employees who may have engaged in misconduct. There is no strict employment law requirement to suspend or discipline those suspected of misconduct; that is a decision for the employer. Some heavily regulated employers, such as those within the financial services sector, may have increased obligations around suspension and disciplinary action where employees carry out regulated activities. In some cases, an employee’s misconduct must be reported to the regulator. Employees may also be regulated themselves and will have specific obligations towards the regulator.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

In general, a request to participate in an internal investigation will be a reasonable management instruction and any unreasonable refusal to engage in this process may constitute misconduct in itself. Whether or not an employer could fairly dismiss in these circumstances will depend on the whole context and in particular, the seniority of the employee. At all times, it is important that the employer does not interrogate or put pressure on the employee to make admissions of guilt, and a range of safeguards as to how the investigation is conducted should be considered, to ensure fairness to the employee.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

It is good practice to prepare an initial scope of an internal investigation, potentially with a written investigation plan, with target deadlines and a clear set of tasks where possible, before commencing the investigation proper, setting out:

  • its purpose;
  • the issues to be investigated;
  • the client, and who within an organisation can provide instructions on behalf of the company;
  • the investigation team and reporting lines;
  • how legal privilege will be established and maintained (e.g., the investigation team is instructed by and reports to a lawyer);
  • how digital and hard copy material will be collected and preserved;
  • how staff interviews will be conducted; and
  • any other necessary immediate controls or steps, such as ceasing all future payments to third parties under suspicion.

The scope of an internal investigation and the client team may need to be kept under review, depending on factual findings and other developments that are possible at different stages in the investigation.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

There are generally no formal legal obligations on a company to conduct an internal investigation into its own affairs. However, conduct rules applicable to some companies by the bodies that regulate them may mean an internal investigation is strongly recommended or even required.

The company should also consider whether a money laundering report is needed in accordance with the Proceeds of Crime Act 2002 (UK-wide application) and whether any additional report is required for the police in Northern Ireland or Scotland to comply with specific legislation that is applicable in those jurisdictions. In addition, the company should:

  • stop the offending behaviour, otherwise the company could be exposed to a risk of criminal liability itself for allowing potential offending to carry on unchecked and without investigation;
  • if there are grounds for suspecting (where that suspicion is more than merely fanciful) that funds relating to a future transaction may be tainted as the proceeds of crime, consider making a Defence Against Money Laundering report to the National Crime Agency, requesting a defence to proceed with that transaction;
  • preserve all documents and material relevant to the issue. Failure to preserve evidence could also impede a later criminal investigation, leaving the company at risk of criticism from, or undermining its ability to demonstrate its co-operation with, the authority. Note also that it can be a criminal offence to undertake any acts that can affect the administration of justice. Relevant conduct may include destroying, falsifying, concealing or disposing of relevant documents when a person knows or suspects an investigation of serious or complex fraud is already being, or is likely to be, undertaken by certain law enforcement agencies; and
  • take remedial or preventive action to ensure that the offending behaviour cannot occur in the company again.

If a company has failed to take any steps to address an allegation of bribery or facilitation of tax evasion, it is unlikely that it would be able to rely on the ‘adequate or reasonable procedures’ defence in the event of a prosecution of corporate failure to prevent under the Bribery Act 2010 or Criminal Finances Act 2017.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

On receipt, the notice or court order should be sent immediately to the appropriate person within the business whose function is to deal with this type of external matter (usually within the legal department). All steps should be taken to ensure that evidence that may be relevant for production under the notice or court order is not deliberately or inadvertently lost, destroyed or altered, and that any individuals who may be involved in possible wrongdoing are not tipped off. The exact scope of the request should be determined and clarifications sought if the scope is unclear. The deadline for responding should also be diarised. It is advisable to seek external legal advice if the legal department is inexperienced in dealing with such matters.

Once reviewed for relevance, the results should be checked for privilege, and copies retained of anything provided to the authorities.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

Privately owned companies are not required to publicly disclose the existence of internal investigations or contact from law enforcement.

Under the UK Listing Rules, publicly listed companies must issue a market announcement of any major new development that may affect their business without delay, if the development may lead to a substantial share price movement. A notice compelling the provision of documents would be unlikely to require an announcement, but confirmation from the authority that the company was a suspect in a criminal investigation would be likely to require an announcement.

Organisations that are authorised by the Financial Conduct Authority also have an obligation to disclose to it anything relating to the firm of which it would reasonably expect notice. This would include breaches of UK laws and regulations, civil, criminal or disciplinary proceedings against a firm and fraud, errors and other irregularities.

Public companies are also required to complete a fraud and error declaration as part of their audit process, expressly referencing not only material misstatements but suspicions of fraud or control failures. A person commits a criminal offence pursuant to section 501 of the Companies Act 2006 if he or she knowingly or recklessly make a misleading, false or deceptive statement to an auditor.

37 How are internal investigations viewed by local enforcement bodies in your country?

UK authorities have publicly stated that they are not opposed to internal investigations that are carried out in a manner that would not impede a criminal prosecution. They expect data-gathering exercises to be carried out promptly and covertly and to be coordinated across multiple sites simultaneously. ‘Covert’ in this context is intended to ensure potential suspects in a later criminal investigation are not tipped off prior to data collection and so given an opportunity to destroy or delete incriminating material. It does not mean that companies should conduct internal investigations in a manner that involves unlawful surveillance or data-gathering techniques (whereby they could be separately liable for other offences). Data collections should be forensically sound, preserving metadata. All procedures used to gather and image data should be recorded and then fully disclosed to the relevant law enforcement authority.

Additionally, UK authorities expect that full and accurate accounts are made of any witness interviews and, in some circumstances, consideration may need to be given to whether certain interviews should be conducted at all. This is particularly important if there is a risk of criticism that a corporate conducted an interview knowing that a law enforcement agency would wish to speak to a witness first and obtain a first account from a witness prior to any internal investigation or review.

The Serious Fraud Office has repeatedly said that it expects to be given interview notes by corporates seeking to demonstrate co-operation in their investigation. While this is tempered to an extent by an acknowledgement that disclosure is not required when legal professional privilege applies, when such a claim is without foundation, co-operation is likely to be cast into doubt in the absence of such a disclosure.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

Legal professional privilege has traditionally been claimed over various aspects of internal investigations, which has increasingly been disputed by law enforcement authorities. However, in a 2018 Court of Appeal case, Eurasian Natural Resources Corporation Limited (ENRC) successfully repelled a challenge by the Serious Fraud Office (SFO) relating to claims of privilege by the corporation. The SFO sought to challenge claims to privilege by ENRC regarding various documents that were produced by lawyers and forensic accountants during an internal investigation into allegations of bribery and corruption that had arisen from a whistleblower report. The documents in question fell into four categories:

  • category 1: notes taken by lawyers of interviews conducted during an internal investigation;
  • category 2: materials generated by forensic accountants as part of a ‘books and records’ review;
  • category 3: documents, such as presentation slides, containing or surmising factual evidence, that were used by lawyers to present to ENRC; and
  • category 4: emails between a senior executive and the head of mergers and acquisitions at ENRC, who was a Switzerland-qualified lawyer.

The Court of Appeal held that documents falling into categories 1, 2 and 4 were protected by litigation privilege. The High Court had already held that the factual updates provided in category 3 were protected by legal advice privilege.

In short, the Court of Appeal held that a criminal investigation by the SFO could be ‘litigation’ for privilege purposes and that although a party anticipating possible prosecution will often need to make further investigations before it can say with certainty that proceedings are likely, that uncertainty does not in itself prevent proceedings being in reasonable contemplation. The fact that ENRC did not have the information required to evaluate the whistleblower email, therefore causing it to be uncertain as to whether a crime had in fact taken place, was not a bar to having the protection of litigation privilege. The Court opined that it would be wrong to deny a potential defendant the benefit of litigation privilege when asking his or her lawyer to investigate the circumstances of the alleged offence. It concluded that ENRC did contemplate that prosecution was possible when the documents in question were created and, therefore, these documents were protected by litigation privilege.

The Court of Appeal decision went some way to restoring the status quo in relation to privilege but much of the reasoning in the case is highly fact-specific; the judgment should not be interpreted to extend litigation privilege to all documents created in all internal investigations. Many pitfalls remain, with challenges by opponents and regulators and privilege issues continuing to trouble businesses, their lawyers and the courts. Although some cases have confirmed the status of legal professional privilege as a fundamental right, there are no guarantees that any document created during an internal investigation will be legally privileged. Nevertheless, steps can be taken to maximise the chance of succeeding with such a claim, such as:

  • involving lawyers (whether external or in-house) as soon possible;
  • marking all communications pertaining to legal advice as ‘privileged and confidential’;
  • segregating privileged and non-privileged documents;
  • refraining from forwarding or creating new documents that summarise the legal advice received;
  • encouraging employees not to amend or quote extracts from legal advice; and
  • if there is the reasonable possibility of potential litigation at a later stage, recording this in writing, and giving as much detail as possible, to evidence any subsequent legitimate claim for litigation privilege.

Parties are able to obtain legal advice in the context of an internal investigation, and confidential communications between a lawyer and a client, provided they are for the dominant purpose of seeking or giving legal advice, are likely to be privileged under legal advice privilege principles. These principles generally do not protect communications involving third parties. However, the Court of Appeal in ENRC, as well as courts in some subsequent cases, have expressly left open a question as to whether aspects of current UK law on legal advice privilege should be reviewed at a later date by the UK Supreme Court. It is likely, therefore, that the subject of privilege in internal investigations will be a matter of continuing development of UK law.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

There are two main forms of legal professional privilege:

  • legal advice privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client (but not communications with third parties), provided that the communications are for the dominant purpose of seeking and receiving legal advice; and
  • litigation privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).

The holder of the privilege is the client and survives the death or dissolution of the client (Addlesee v. Dentons [2019] EWCA Civ 1600).

In the case of corporate investigations, the client tends to be represented by the group of individual employees or directors charged with seeking and receiving legal advice on behalf of the company (or commissioning or conducting the internal investigation) rather than the entire corporate entity. This group of individuals usually includes the in-house legal team and some or all of the board of directors or a subcommittee established by a company, but this group should be defined as soon as any external lawyers are engaged or at the outset of an investigation. This helps to ensure that there is a defined group from whom instructions by lawyers can be received and to whom advice is provided, which safeguards any claim of legal advice privilege.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Yes, although not in the context of an antitrust and competition investigation by the European Commission. This exception may well also apply to other EU investigations, such as state aid and merger control. Consequently, where competition matters and other matters in which EU bodies might get involved at a later stage are concerned, it is best to involve external counsel. In-house counsel must always be careful to ensure that they distinguish between legal advice and advice that is commercial in nature, since the latter will not attract legal professional privilege.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?

Advice sought from foreign lawyers in investigations in the United Kingdom is subject to the same legal professional privilege as advice sought from lawyers within the United Kingdom. The UK courts will apply UK law on privilege to determine the extent to which privilege applies. If a document satisfies the test for legal advice privilege or litigation privilege under UK law, the document will be treated as privileged. This decision is made regardless of whether that document would not have been privileged under a foreign law.

This principle can have the opposite effect in respect of any documents that would be privileged under foreign law but do not meet the requirements for privilege under UK law. The foreign privileged documents would not attract legal professional privilege in the United Kingdom.

Privilege can attach to the advice given by foreign lawyers (including in-house lawyers), provided they are acting in their professional capacity in connection with the provision of legal advice. The 2020 case of Tatneft v Bogolyubov and others ([2020] EWHC 2437) clarified that the communications of foreign lawyers who are ‘acting in the capacity or function of a lawyer’ are protected by legal professional privilege.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

UK authorities have frequently stated that they have no interest in communications between a client and its lawyers as to questions of liability or rights; however, in recent years, law enforcement agencies, such as the SFO, have challenged assertions of legal professional privilege over factual aspects of internal investigations and have expected the waiver of claimed legal professional privilege in the event of any self-report. The authorities have stated previously that a refusal to waive a well-made-out claim of legal professional privilege will not be held against a company, but a waiver of such a claim would be good evidence of co-operation. False or exaggerated claims of legal professional privilege will continue to be considered strong evidence of not co-operating and will be challenged. The 2018 ENRC Court of Appeal judgment has confirmed that even when a party may lead the SFO to believe that it might in future waive privilege over certain documents, this does not in itself amount to a waiver of privilege and would only amount to such a waiver in the event of a formal agreement.

In 2019, the SFO issued guidance on its requirements for corporate co-operation in relation to its investigations. The guidance provides that ‘if the organisation claims privilege, it will be expected to provide certification by independent counsel that the material in question is privileged’.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

There is a concept of limited waiver of legal professional privilege, and it is for the individual or entity waiving the privilege to determine the extent of the waiver.

It is important to be very clear as to the scope of the waiver with regard to the purpose for which the privileged information can be used and with whom it can be shared, particularly if a party seeks to prevent the information being shared with other domestic or foreign enforcement authorities or parties in any related civil proceedings. Generally, there are various gateways where evidence is shared between law enforcement agencies in the United Kingdom (and sometimes elsewhere), and proposals for a limited waiver from a corporate may not be acceptable to a law enforcement agency given the wider duties of disclosure or information sharing.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

This will depend on a number of factors, including the terms of the waiver, the circumstances in which the material was received by the UK authority, and whether the UK authority disputes the claim of privilege, for example, if the UK authority asserts that the material falls within the crime-fraud exception.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Common interest privilege exists in most parts of the United Kingdom (opinions are divided as to its existence in Scotland) and can be used to preserve privilege in documents disclosed to third parties who have, at the time of the disclosure, a common interest in the subject matter of the privileged document or the litigation for which the document was created.

It is advisable when disclosing information under the common interest privilege to ensure that the recipient understands that the document has been disclosed on this basis and to obtain undertakings from the recipient that the privilege will not be waived. Typically, in criminal-related investigations, common interest privilege has very limited practical scope, because it is often in doubt whether two parties do, in fact, have a common interest.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Privilege can be claimed over confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

An internal investigation is a fact-finding exercise and interviews will often be considered material to any internal investigation. However, it is advisable always to be sensitive to the expectations of investigating authorities, to avoid any criticism that interviews could have prejudiced the law enforcement investigation.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

In its ENRC judgment, the Court of Appeal held that, on the facts of that case, factual notes of what is said by a witness to a lawyer constituted a privileged document.

It should also be borne in mind that when proceedings are not in contemplation, communications between interviewees and counsel not made in the course of giving instructions to counsel will not attract litigation privilege or legal advice privilege. Only communications between counsel and those entrusted by the company to give instructions to counsel will attract legal advice privilege.

In summer 2019, the Serious Fraud Office (SFO) issued guidance on its requirements for a company to be considered to be adopting a co-operative approach with the SFO, which includes guidance on witness interviews. The Law Society’s position is that no client should be put under pressure to waive privilege or conduct affairs in such a way that properly construed privilege does not apply.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Although there are no general, formal requirements when conducting witness interviews as part of an internal investigation, best practice dictates that, irrespective of whether the interviewee is an employee or a third party, they should be informed:

  • that the interview is part of a fact-finding exercise and, if applicable, in contemplation of litigation;
  • if they are implicated in any wrongdoing;
  • that the lawyer conducting the interview represents the company and not the interviewee;
  • that the interview notes created by the lawyer belong to the company and, therefore, any privilege in the notes rests with the company;
  • the company may choose to provide the notes to an authority (and this is at its election); and
  • that the interview is confidential and the contents of the interview should not be discussed with other employees or witnesses (to avoid contaminating their recollection and generally to protect the integrity of the process).

Care should also be taken not to taint a witness’s recollection, for example by disclosing previously unseen material or discussing another witness’s statement.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

It is becoming more common for interviewees to be legally represented in initial fact-finding interviews during internal investigations, and companies should not refuse a request from an individual to be legally represented at his or her own expense. When employees may incriminate themselves during an interview, there are compelling ethical reasons why a company may suggest that an employee may wish to obtain his or her own independent legal advice.

Documents can be put to the interviewee. A copy of each of the documents referred to, or an interview pack, should be retained as part of the record of the interview, as a matter of good internal investigation practice.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

Section 330 of the Proceeds of Crime Act 2002 (POCA) places a specific duty on employees of regulated businesses (i.e., financial services firms and professional services such as lawyers and accountants) to make a report to the National Crime Agency (NCA) when they have reasonable grounds to know or suspect that another person is engaged in money laundering and that knowledge or suspicion came to them within the course of their regulated business. Failure to make a report in those circumstances carries a risk of imprisonment or a fine, or both, for individuals (and fines for companies), unless, in the case of individuals, they have reported to their company’s money laundering reporting officer (MLRO). Other similar offences arise under section 331 of POCA regarding MLROs who have failed to report to the NCA, given their designated statutory duties to do so.

In June 2021, the Crown Prosecution Service (CPS) published its revised legal guidance on section 330 of POCA confirming that the CPS will consider prosecuting for a failure to report money laundering suspicions even though there is insufficient evidence to establish a predicate money laundering offence. This represents a significant policy shift as, prior to the guidance update, the CPS did not charge under section 330 if there was insufficient evidence to establish that money laundering was planned or undertaken.

Any company (regulated or non-regulated) may make a report to the NCA if it has a suspicion that it possesses funds obtained as a result of suspected criminal conduct by the company or its employees, as this may be a money laundering offence under POCA, or terrorist financing (under part 3 of the Terrorism Act 2000). In addition, when a company (regulated or non-regulated) knows or suspects that property it intends to deal with is criminal (i.e., it constitutes or represents, in whole or part, directly or indirectly, the benefit of a person’s criminal conduct), it should make a Defence Against Money Laundering report (DAML) to the NCA. Note that the DAML only applies to future actions and cannot cure past breaches. In both cases, a report to the NCA of any of these types of suspicions and activities can provide a statutory defence to money laundering if made as soon as practicable.

A money laundering report to the NCA is not a self-report for the purposes of a deferred prosecution agreement (DPA) or mitigation of sentence. A self-report must be made directly to the relevant authority, such as the Serious Fraud Office (SFO).

Note also that the Fifth Money Laundering Directive (EU) 2018/843, which came into force on 10 January 2020, expands the scope of businesses to which the UK’s anti-money laundering regime applies (for example, to tax advisers, letting agents and crypto-asset exchanges), as well as amending a number of the substantive requirements. In Scotland, there is an obligation to report any knowledge or suspicion of serious organised crime to the police when this knowledge or suspicion originates from information obtained in the course of business or as a result of a close personal relationship (Criminal Justice and Licensing (Scotland) Act 2010). In Northern Ireland, additional reporting duties apply under the Criminal Law (Northern Ireland) Act 1967.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

The question of when and whether to self-report has been the subject of considerable debate following the Rolls-Royce case, which involved a DPA (notwithstanding that there was no self-report) and the Airbus SE case, respectively.

Prior to the DPA agreed in Rolls-Royce in January 2017, it was considered advisable for a company to self-report if it wished a matter to be settled by way of a DPA; the SFO had articulated that one of the preconditions of a DPA was a genuinely proactive approach by the company, including a full self-report (i.e., complete disclosure of the facts).

However, doubt was cast on whether a self-report was a precondition to a DPA in light of the DPA secured by Rolls-Royce in circumstances that did not follow a self-report. The SFO, and indeed the court in approving the DPA, emphasised that the circumstances in which Rolls-Royce secured a DPA (notwithstanding that it had not self-reported) were due to the extraordinary level of co-operation with the SFO that followed once the offending conduct was already known in part to law enforcement authorities.

In respect of Airbus SE, the commercial and defence and space divisions were charged with five counts of failure to prevent bribery. The conduct covered by the UK DPA took place across Sri Lanka, Malaysia, Indonesia, Taiwan and Ghana, between 2011 and 2015. In its judgment, the court remarked that the seriousness of the criminality in this case was grave, with worldwide conduct that took place over many years. It also noted that once the wrongdoing was identified, Airbus SE overhauled its compliance, which resulted in the company putting in place the following remedial steps:

  • redesigning its compliance structure and oversight mechanisms;
  • rolling out improved and strengthened due diligence processes;
  • launching a required company-wide anti-bribery and corruption risk assessment;
  • bringing in a newly elected management team; and
  • launching internal investigations into the actions of existing and former employees.

When approving the DPA, the court cited these extensive steps, recognising that the overhaul to the management and compliance structure of the business left it ‘a changed company to that which existed when the wrongdoing occurred’. This contributed to a 50 per cent reduction in the financial penalty imposed by the DPA.

The SFO has now issued guidance on what it considers amounts to co-operation with its investigations, including a requirement to report a suspected fraud or bribery within a reasonable time of the suspicion arising. The guidance makes it clear that co-operation will be a relevant factor in making charging decisions (i.e., whether to prosecute, recommend a DPA or take no further action). There is no presumption that self-reporting will lead to no further action.

The SFO does not publish details of the self-reports that have led to no further action. Whether a DPA will be available in the absence of a self-report in future remains to be seen.

To date, the SFO has not secured the successful conviction of any of the individuals who have been prosecuted in connection with previous DPAs, including those with Tesco Stores Limited, Güralp Systems Ltd and, most recently, Serco. Commentators have pointed to the different considerations for a corporate and the SFO to reach agreement on the factual basis of a DPA compared with the separate evidential issues for the SFO in bringing criminal proceedings against any individuals that may arise following a DPA.

Note that DPAs are only available to corporate defendants and not to the individual employees or directors involved in the criminal conduct.

53 What are the practical steps you need to take to self-report to law enforcement in your country?

Before making a self-report, companies and their advisers are likely to consider the level of investigation that is appropriate to ascertain the extent and nature of the potential offending, balancing this against a risk that any delay in reporting will face criticism and could jeopardise co-operation credit with law enforcement agencies at a later stage.

UK authorities have advised that for a company to be afforded full credit for making a self-report, it must be made within the context of a genuinely proactive and co-operative approach by the company.

The SFO’s outline of the process to be adopted by corporate bodies or their advisers when self-reporting provides that:

  • initial contact, and all subsequent communication, must be made through the SFO’s intelligence unit, using the secure reporting form;
  • hard copy reports setting out the nature and scope of any internal investigation must be provided to the SFO’s intelligence unit;
  • all supporting evidence, including, but not limited to, emails, banking evidence and witness accounts, must be provided to the SFO’s intelligence unit; and
  • further supporting evidence may be provided during the course of any current internal investigation.

In Scotland, the Crown Office and Procurator Fiscal Service’s self-reporting initiative, which applies in relation to corporate bribery offences, requires a written report to be submitted on the company’s behalf by a solicitor.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

It is both possible and desirable to enter into a dialogue with the relevant authority before or on receipt of a notice or warrant to discuss any concerns the company has, for example that the deadline for compliance is unreasonable, or the description of the information and documents requested is unclear.

With regard to search warrants served on businesses, the police do not usually contact a business to discuss the terms of a warrant prior to turning up and executing the warrant. However, depending on the circumstances, the police may be willing to discuss the implementation of the warrant to avoid unnecessary disruption to the business’s legitimate activities and the risk of the warrant being challenged.

Materials subject to legal professional privilege may be withheld when responding to a search warrant. Warrants often do not address how privileged materials should be handled, and dealing with issues of privilege tends to be a matter for negotiation. The lawyer for the company should object to privileged materials being reviewed or seized and offer to set aside potentially privileged materials for subsequent review by the company’s legal agent. If the authority will not agree to this course, it may be proposed to appoint independent counsel (usually an advocate, barrister or solicitor) to review potentially privileged material and to make an initial determination as to whether or not the material is, in fact, privileged. If the authority will not agree to proceed on that basis, counsel for the company should insist that any privileged material should be sealed, unread and delivered to the court to enable it to adjudicate on the matter. In the event that such suggestions are not acted on by the authority, the company may need to seek to overturn the warrant by presenting to the court a judicial review (or a bill of suspension in Scotland).

55 Are ongoing authority investigations subject to challenge before the courts?

The exercise of powers by any public authority, such as in undertaking an investigation, can be challenged by application to the court for a judicial review (a bill of suspension in Scotland) if considered to be unlawful.

If found to be unlawful, the court can order various remedies, such as stopping the exercise of that power, rendering it ineffective, or awarding damages.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

While attempting to deal with notices or court orders issued by various jurisdictions as one consistent disclosure package would reduce effort and costs, it is generally advisable to deal with them separately but have protocols in place to ensure consistent approaches are maintained to any relevant documents to be produced. Court orders and notices issued under compulsory powers usually negate data protection laws and any obligations of confidentiality to third parties. Consequently, civil proceedings cannot be brought by third parties against a company for its actions in providing material in response to a lawful court order or compulsory notice as long as the material provided was within the scope of the notice or order. However, if the company voluntarily provides material beyond the scope of the notice or order, and in doing so breaches a confidentiality obligation or data protection law, it could expose itself to claims.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?

In general, if information is in the control of a company (e.g., a parent company with a right to take possession, inspect or take copies of a subsidiary’s documents), the company will be expected, and may be required, to search for and produce all requested material, even when it is located in another country. In practice, if a company wishes to seek credit for co-operation, it should comply with any reasonable requests, whether or not it is required to.

The exception is when the data protection legislation in the other country does not permit the removal or transfer of the data from that jurisdiction. In those cases, the requesting authority will generally need to use mutual legal assistance to obtain the material through foreign counterparts.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

The UK authorities can and do share information and investigative materials with authorities in various other countries (for intelligence purposes and the detection and prevention of crime), whether or not there is a mutual legal assistance agreement with that country. This occurs regardless of whether the country is providing information or materials in return, although reciprocity is generally expected.

Where material is required for a prosecution, a mutual legal assistance request must be made. UK law authorities will only provide assistance that conforms with the UK’s laws and international obligations.

A list of the international mutual legal assistance and extradition agreements to which the UK is a party can be found on the UK government website (https://www.gov.uk/guidance/mutual-legal-assistance-mla-requests). Having left the European Union, the United Kingdom will now have to request assistance from EU Member States (and vice versa) using channels provided for under the 1959 Council of Europe Convention on Mutual Assistance in Criminal Matters and its protocols, as supplemented by the EU–UK Trade and Cooperation agreement.

The UK authorities can provide further assistance by conducting dawn raids in the United Kingdom on the foreign authority’s behalf, interviewing witnesses or suspects, freezing assets, or arresting and extraditing suspects.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Law enforcement authorities have a general duty not to disclose information or material received during the course of an investigation, and which is not otherwise in the public domain, unless the public interest in the disclosure outweighs the private interests of the owner. Furthermore, before disclosing information to a third party, the law enforcement agency should provide the owner with sufficient notice of the request to allow an opportunity for objections to the disclosure (Marcel and Others v. Commissioner of Police of the Metropolis and Others [1992] 2 WLR 50). Any objections should be considered and advance notice should be provided of an intention to disclose regardless. Notice does not have to be given when it would be inappropriate or impracticable to provide notice, for example if it would prejudice an investigation by the law enforcement agency requesting the information (R (on the application of Kent Pharmaceuticals Ltd) v. Serious Fraud Office and another [2005] 1 W.L.R. 1302). The police can also retain property after the Crown Prosecution Service decides not to prosecute, if a private prosecution is being contemplated or is taking place (Scopelight Ltd v. Chief Constable of Northumbria [2009] EWCA Civ 1156; [2010] 1 Cr. App. R. 19).

Section 3 of the Criminal Justice Act 1987 further limits disclosure by the Serious Fraud Office (SFO) to third parties. Information obtained during the course of an investigation by the SFO can only be disclosed to certain specific government departments or bodies, or competent authorities specified in the Act, and only for the purposes of any criminal investigation or criminal proceedings, whether in the United Kingdom or abroad and for the purposes of assisting any public or other authority under the order. The list of competent authorities is comprehensive and includes any entity with supervisory, regulatory or disciplinary functions; however, it does not include liquidators, provisional liquidators, administrators or administrative receivers.

Section 18 of the Commissioners for Revenue and Customs Act 2005 contains an additional statutory duty of confidentiality that criminalises the wrongful disclosure of information about, acquired as a result of, or held in connection with a function of Her Majesty’s Revenue and Customs (HMRC). Disclosures made by HMRC will therefore be made in accordance with specific statutory gateways, such as section 19 of the Anti-terrorism, Crime and Security Act.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

In these circumstances, the company should not provide the documents, but should inform the requesting authority of the reason why these documents cannot be provided (i.e., that the data protection laws in the other country constitute reasonable excuse for lack of compliance).

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

The collection and use of personal data are governed by the Data Protection Act 2018 (the DP Act), including restrictions on the disclosure of personal data. Personal data is defined as data that relates to a living individual who can be identified from that data. The data protection principles set out how personal data should be processed, which include that it should be fairly and lawfully processed as well as only processed as far as is necessary. The DP Act also gives certain rights to the data subjects. In practice, this can mean that unless certain conditions are achieved, personal data should not be transferred. However this is subject to certain relaxations if the material is requested by a notice or court order issued on the grounds that the material is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, the assessment or collection of any tax or duty, or of any imposition of a similar nature.

In Elgizouli v. Secretary of State for the Home Department [2020] UKSC 10, the United States had made a mutual legal assistance request to the United Kingdom. The Home Secretary requested that the information would not be used in a prosecution in which the death penalty would be the resultant sentence. This assurance could not be given but the information was provided in any event. The UK Supreme Court determined that the decision had been unlawful under the DP Act.

The term ‘blocking statute’ is generally not applicable except in the field of financial and trade sanctions, for which there is blocking legislation in relation to specific US sections that have extraterritorial application.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

When material is provided voluntarily and without restrictions, the authority is free to share it with third parties or other authorities, and to use it for any purpose.

In general, it is advisable only to provide material voluntarily having obtained contractual undertakings that agree the restricted basis on which the material has been provided (e.g., only for use by that authority in the course of an investigation and not to be shared with other parties).

Although contractual undertakings restrict an authority’s ability to voluntarily provide material to other parties, they do not prevent third parties from obtaining court orders against the authority requiring production of the material. However, production orders should only be granted when it is in the interests of justice, and the fact that the material came into the possession of the authority under the restrictions imposed by the undertakings may lead a court to determine that it is not appropriate to grant a production order against the authority in that context, particularly as the third party could attempt to obtain the documents from an unfettered source, such as the company.

In general, authorities are restricted as to how they can share material they obtain as a result of exercising their compulsory powers or court orders, and customarily such material should only be shared when it is necessary for an investigation and the disclosure is proportionate.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Penalties on conviction include imprisonment for individuals, fines, compensation and confiscation orders. Individuals can also be disqualified from being a director of a company for up to 15 years. Monitoring may be imposed as part of a deferred prosecution agreement.

Companies convicted of certain offences, including active bribery and money laundering, must also be debarred from public tendering for up to five years.

Regulatory authorities can impose additional penalties. For example, the Financial Conduct Authority can withdraw a firm’s authorisation and prohibit it from undertaking specific regulated activities for up to 12 months, prohibit individuals from carrying out regulated activities, or impose fines on firms or individuals. The Prudential Regulation Authority (which is responsible for the prudential regulation and supervision of around 1,700 banks and other firms) can restrict a firm’s permission to conduct regulated activities or impose a fine. Her Majesty’s Revenue and Customs can also consider the imposition of restrictions in respect of regulation or licensing regimes for matters under its control.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

The Public Sector Procurement Directive (2014/24/EU) was transposed into UK law by the Public Contracts Regulations 2015 (the 2015 Regulations). Under these Regulations, a company must be excluded from public procurement if it has been convicted in the past five years of any offences from a list that includes conspiracy, corruption, bribery, money laundering and fraud. The corporate offence of failure to prevent bribery (Bribery Act 2010, section 7) is not included in this list of offences for mandatory debarment (although a conviction could lead to discretionary debarment).

The 2015 Regulations also provide a list of offences that carry discretionary debarment for up to three years, including professional misconduct, non-payment of tax and distortion of competition.

The 2015 Regulations allow companies to recover eligibility to bid for public contracts following a debarment by demonstrating evidence of self-cleaning, such as the payment of compensation to the victim of the offending, clarification of the facts and circumstances of the offence in a comprehensive manner, co-operation with the investigating authority, and the implementation of appropriate measures to prevent further criminal offences or misconduct.

65 What do the authorities in your country take into account when fixing penalties?

When fixing penalties following conviction, courts must have regard to the sentencing guidelines published by the Sentencing Councils for England and Wales and Scotland. Similarly, in Northern Ireland, sentencing guidelines are issued by the Lady Chief Justice’s Office.

Specific sentencing guidelines were published in 2014 for England and Wales (not Northern Ireland) in respect of corporate fraud, bribery and money laundering offences providing that, when sentencing a company, the court must first determine whether compensation or confiscation orders should be made. Thereafter, the court should consider, inter alia, the following issues:

  • the level of culpability and financial harm;
  • any aggravating or mitigating factors, for example whether the criminal activity was endemic or whether the corporate offered full co-operation with the law enforcement authority during the investigation;
  • the financial circumstances of the company; and
  • the stage at which a guilty plea was entered (if the matter was not contested).

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Deferred prosecution agreements (DPAs) have been available in England and Wales (as a result of the Crime and Courts Act 2013) since 2014 as an alternative disposal for corporate offending. DPAs are not currently available in Scotland, where a civil settlement regime applies, or in Northern Ireland. Non-prosecution agreements do not exist in the United Kingdom, although Her Majesty’s Revenue and Customs (HMRC) applies a published selective prosecution policy and so, in a range of situations, may pursue suspected wrongdoing by means of its civil powers, most specifically by the use of the ‘contractual disclosure facility’, which affords immunity from criminal action if full material disclosure is made within a civil enquiry and settlement into an individual (rather than body corporate).

The Serious Fraud Office (SFO) and Crown Prosecution Service (CPS) have published a Code of Practice explaining the DPA process (the CPS rather than HMRC will determine the merits of seeking to agree a DPA in respect of domestic tax facilitation prosecutions). The SFO issued guidance in summer 2019 setting out factors amounting to co-operation with its investigations and, in October 2020, published a chapter from its handbook adding to the transparency around how it engages with companies when a DPA is in prospect.

A prosecutor may invite, at its discretion, a corporate suspect into DPA negotiations if it determines that having identified the full extent of the offending, the evidential test has been satisfied and the public interest would benefit from a DPA. Until the Rolls-Royce case, the orthodox view was that a corporate will only be invited to negotiations when a self-report has been made and the corporate has fully co-operated with the authority. Following Rolls-Royce, it is possible that a DPA may be negotiated in wider circumstances, including when there has been no self-report but subsequent extraordinary co-operation by a corporate with the law enforcement authority.

If it is possible to agree the terms of a DPA and a statement of facts, the corporate will be formally charged with the criminal offence or offences and the matter will be brought before a judge for approval. The judge will only approve the DPA if satisfied that it is in the interests of justice and the terms are fair, reasonable and proportionate. The judge can adjourn the matter to obtain further information or clarification as to the facts or terms.

If judicial approval is given, the criminal proceedings will be suspended for a set period as defined by the terms of the DPA. The terms and facts of the DPA will then be published on the authority’s website.

If the corporate complies with the terms of the DPA, the criminal proceedings will be formally discontinued at the conclusion of the set period. If the corporate breaches the terms and the breach cannot be remedied, the criminal proceedings will resume.

To date, 12 DPAs have been agreed in the United Kingdom.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Reporting restrictions can be placed on DPAs while criminal proceedings against connected individuals are under way. Reporting restrictions were imposed on the Sarclad and Tesco DPAs because of ongoing proceedings against the individuals allegedly responsible for the misconduct. Following the conclusion of those proceedings, the reporting restrictions were lifted. Reporting restrictions currently apply to the two most recent DPAs entered into by ‘two unnamed companies’ following their judicial approval on 19 July 2021.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Before entering into a settlement with a law enforcement authority, a company should assess the merits and strength of the prosecution and defence cases, the likelihood of conviction, the expected time, cost, reputational damage and other adverse effects of a lengthy investigation and trial, and the likely penalties in the event of a conviction, including possible debarment from public procurement tenders.

The company should then carefully assess the terms of the proposed settlement, including the effect that continuing co-operation could have on the business (legal costs, staff resources, etc.); whether the settlement will resolve the matter in all relevant jurisdictions and, if not, the effect the settlement could have in regard to ongoing investigations in other jurisdictions (e.g., whether the authority that has settled will disclose information and assist foreign authorities); and any other adverse effects that the settlement could have on the future of the business.

Ultimately the company should balance the seriousness of the charge and the potential consequences of a conviction (including whether it results in debarment) against the terms of the settlement, as in some circumstances the terms of a settlement, including, for example, the costs of regular review and monitoring by an independent monitor (typically a large accountancy or law firm), could be more disadvantageous to a company than a conviction.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

The Crime and Courts Act 2013 and the related guidance permit the appointment of monitors in appropriate cases. The Deferred Prosecution Agreements Code of Practice (the DPA Code) sets out the roles, duties and mechanics of appointing monitors as a term of a DPA. The Code of Practice stops short of requiring the appointment of a monitor as a condition of a DPA. The G4S C&J DPA agreed in July 2020 was the first that required an SFO-approved independent monitor to report on the organisation’s compliance improvements over the DPA’s three-year duration.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Parallel private civil actions are allowed. Generally, but not always, the criminal proceedings will take precedence and civil proceedings can be stayed for the duration of the criminal investigation, so as not to prejudice any criminal proceedings.

Private claimants will only gain access to specified information in the authority’s files if they obtain a court order. Before making any such order, the court would carefully consider the reason why the private claimant requires the information, whether the claimant would be able to obtain the information from any other source, the method by which the authority obtained the relevant information, for example if it was obtained under compulsory powers, and whether the information is likely to contain any confidential, privileged or personal information relating to third parties.

Increasingly, small numbers of private criminal prosecutions involving allegations of fraud are being conducted in the courts of England and Wales. The instigation of a private prosecution is provided for in section 6 of the Prosecution of Offences Act 1985 and is subject to a power of the Director of Public Prosecutions to take over the private prosecution at any stage (and, if the Director chooses, to discontinue it).

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

It is a contempt of court to publish a report, including via social media posts, that creates a substantial risk that the course of justice in active criminal proceedings will be seriously impeded or prejudiced. Proceedings are active for this purpose after arrest or charge and until the proceedings have been concluded, for example by acquittal or conviction, or discontinuance by the authority. As a result, there is generally very little substantive media reporting of criminal investigations until the end of a trial, other than to state the facts of arrests and report court hearings.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

It is common practice for companies to hire a public relations (PR) firm to manage a large-scale corporate crisis to mitigate potential reputational damage. It is important to ensure a consistent approach by opening good lines of communication between the company’s internal marketing team and the external PR firm, and to ensure that the PR firm is aware of any legal or corporate issues (including any agreements reached with the investigating authority with regard to press releases, etc.).

It is also vitally important that public statements do not have the potential effect of prejudicing ongoing criminal proceedings (for example, the trial of the company or individual employees) or contradict any defence on which the company may later seek to rely. For those reasons, statements issued by a company under investigation should be brief and factual, and should always be approved by the company’s criminal law advisers.

73 How is publicity managed when there are ongoing related proceedings?

It is vitally important that public statements issued by the company do not have the potential effect of prejudicing ongoing criminal proceedings, such as the related prosecution of employees or third parties.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

Under the UK Listing Rules, publicly listed companies must issue a market announcement without delay regarding any major new development that may affect their business, if the development may lead to a material movement in the companies’ listed securities (including shares and bonds). The point at which a company is informed that it is the subject of an investigation would generally require an announcement, as would the settlement of criminal proceedings.

If the matter is to be settled by way of a deferred prosecution agreement, the matter is not settled until it has actually been approved by a judge at a court hearing. In practice, prior to the final hearing (at which the parties will generally expect approval to be given, as the terms, among other things, will have been examined and challenged at preliminary hearings), the company and the authority will have agreed press statements to be released to the market and wider public as soon as approval is given.

Similarly, under the Alternative Investment Market Rules (AIM is a sub-market of the London Stock Exchange), an AIM company is required to update its nominated adviser (Nomad) of any developments that may affect the business if that development may lead to a significant price movement of its securities. The Nomad is responsible to the London Stock Exchange for advising the AIM-listed company on its responsibilities regarding its admission to AIM and continuing obligations to the market. With the assistance of the Nomad, an AIM company is required to issue notifications of any developments to the market without delay.

Environmental, Social and Corporate Governance (ESG)

75 Does your country regulate ESG matters?

ESG issues are becoming increasingly important parts of the corporate agenda. Organisations are subject to a number of mandatory reporting requirements on ESG issues and many companies choose to adhere to voluntary reporting frameworks and initiatives. There is no single piece of ESG legislation setting out specific obligations to which UK organisations must adhere, but rather an array of legislation on equality and diversity, protection of employees, health and safety, protection of the consumer, environmental protection and human rights. Some examples of this legislation are as follows:

  • Companies Act 2006, section 172 requires that a director ‘act in the way he considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole’, having regard to a number of statutory factors such as the likely consequences of any decision in the long term, the interests of the company’s employees and the company’s business relationships with suppliers, customers and others. Large companies are required to report on this by way of a ‘section 172 statement’ describing how the directors have had regard to employees and other interests when performing their duty.
  • Companies Act 2006, section 415 requires all companies (other than small companies) to prepare a strategic report for each financial year as part of their annual report. The report must include, to the extent necessary to understand the development, performance or position of a company’s business, analysis using key performance indicators (KPIs), including information on environmental matters. The government’s Environmental Reporting Guidelines identify six environmental KPIs, namely greenhouse gases, water, waste, resource efficiency and materials, biodiversity and ecosystem services, and emissions to air, land and water. Additional requirements apply to quoted companies.
  • The Companies, Partnerships and Groups (Accounts and Non-Financial Reporting) Regulations (SI 2016/1245) implemented aspects of the Non-financial Reporting Directive 2014/95/EU, as regards disclosure of non-financial and diversity information by certain large undertakings and groups.
  • The Companies (Miscellaneous Reporting) Regulations 2018 (SI 2018/860) introduced new reporting requirements in relation to engagement with employees, and engagement with suppliers, customers and other stakeholders, in addition to the requirement for a ‘section 172 statement’. These reporting requirements apply to financial years beginning on or after 1 January 2019.
  • The Modern Slavery Act 2015 requires certain commercial organisations to produce and publish a slavery and human trafficking statement for each financial year. The statement must set out what steps have been taken during the financial year to ensure that modern slavery is not occurring in supply chains or within the organisation.
  • The Companies (Directors’ Report) and Limited Liability Partnerships (Energy and Carbon Report) Regulations 2018 supplement narrative reporting requirements on greenhouse gas emissions and other environmental effects in annual corporate reports under the Companies Act 2006. The Regulations require additional reporting on emissions, energy consumption and energy efficiency action by quoted companies, large unquoted companies and large limited liability partnerships.

In addition to annual corporate reporting on environmental matters, certain environmental regimes also require businesses to report environmental information to the relevant regulator, and the regulators maintain public registers of environmental information about, for example, environmental consents, breaches and enforcement action.

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

In November 2020, the UK government published a road map towards mandatory climate-related disclosures across all sectors of the economy aligned with the recommendations of the Taskforce on Climate-related Financial Disclosures (TCFD). The government announced its intention to make TCFD-aligned disclosures mandatory across the economy by 2025, with a significant portion of mandatory requirements in place by 2023. The UK Taskforce’s Interim Report, and accompanying road map, sets out an indicative pathway to achieving that ambition.

The road map set a timetable for cross-sector full disclosure reporting on the following:

  • pension schemes of over £5 billion, banks, insurance companies and building societies will be expected to comply with TCFD recommendations. Furthermore, UK premium listed companies (for financial years starting on 1 January 2021 onwards) must disclose whether their disclosures are consistent with the recommendations of the TCFD and, if not, explain why and provide a description of steps towards future compliance;
  • smaller pension schemes, asset managers and life insurers will be subject to disclosure requirements from 2022;
  • life insurers, pension providers regulated by the Financial Conduct Authority (FCA) and other UK-authorised asset managers will be subject to disclosure requirements from 2023;
  • all other occupational pensions schemes and UK financial services firms will be subject to mandatory climate-related financial disclosures by 2025; and
  • implementation of a UK green taxonomy (based on the EU taxonomy).

The government will provide an update on progress in the 2022 refresh of the Green Finance Strategy.

It is anticipated that the oversight structure relating to the above will probably require refinement as each of the above steps is embedded. At present, the FCA, the Prudential Regulation Authority, the Department for Work and Pensions and the Department for Business, Energy and Industrial Strategy all share some level of oversight.

A draft Environment Bill includes provisions intended to prevent illegal deforestation by placing controls on the supply chain. These would apply to large businesses with a turnover greater than a set threshold and would prohibit those companies from using a ‘forest risk commodity’ or a product derived from such a commodity in their UK activities unless relevant local laws relating to that commodity had been complied with. It would also require them to establish and maintain a due diligence process for the use of any such products and to report on due diligence undertaken annually.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

The growth of the body of legislation and regulatory guidance in this area has certainly accelerated, and it is anticipated that it will be accompanied by a corresponding rise in litigation relating to the core areas of ESG.

Financial regulators are making it increasingly clear that they will take action against firms that mislead the public about the climate credentials of their products. On 19 July 2021, the FCA published a letter to the chairs of authorised fund managers setting out regulatory expectations on the design, delivery and disclosure of ESG and sustainable investment funds. The letter emphasised the FCA’s principles for ensuring that any ESG-related claims are clear and not misleading, both at the time of application and on an ongoing basis, enabling consumers to make informed choices. The letter followed the FCA’s detailed report on the effects of presenting funds as ‘sustainable’ on consumer investment decisions (and associated mis-selling risks). Mis-selling of ‘green’ products, for example through misrepresenting ESG ratings or misleading customers as to a fund’s exposure to investments with positive and negative ESG effects, will probably give rise to increasing regulatory scrutiny and consumer claims, whether by way of regulatory interventions (including enhanced supervisory requirements and enforcement actions), litigation or via the Financial Ombudsman Service. The FCA’s current regulatory framework – and proposed changes specifically aimed at ESG products – will be fundamental in this.

In February 2021, the Serious Fraud Office charged a biodiesel trader with fraud and money laundering in connection with its investigation concerning the sustainable fuel sector. Although not an example of ESG-related enforcement, it is an example of how financial crime cases have arisen from sectors that may have a ESG or related focus.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

On 4 November 2020, the government published the outcome of its call for evidence in expanding the ‘failure to prevent’ offence to include other economic crime (it currently covers bribery and the facilitation of tax evasion). It concluded that the evidence submitted was inconclusive and that further work was required. The Law Commission was tasked with examining domestic and international models to identify any effective options for reform. On 13 January 2021, a proposed amendment to the Financial Services Bill in 2021, creating a new combined offence of facilitating or failing to prevent certain white-collar offences, was withdrawn before it was debated. On 5 May 2021, the House of Commons library briefing paper on corporate criminal liability was published and, on 9 June 2021, the Law Commission launched its consultation on corporate criminal liability reform. The discussion paper invited responses until 31 August 2021. The Law Commission will analyse the responses and publish an options paper, setting out the options for reform to government.


1 Tom Stocker, Neil McInnes, Natalie Sherborn, Andrew Sackey and Laura Gillespie are partners and Olga Tocewicz is a senior associate at Pinsent Masons LLP. The firm’s white-collar crime, investigations and compliance team wishes to recognise the valuable contributions made by team members, specifically Stacy Keen and David Hamilton (senior associates), Jonathan Flynn (associate), Alistair Wood and Rebecca Devaney (solicitors), Fiona Cameron (professional support lawyer), employment law specialist Paul Gillen (partner), cybercrime specialist Stuart Davey (partner), data protection expert Anna Flanagan (senior associate), governance and corporate law specialist Tom Proverbs-Garbett (senior associate) and environmental law specialist Fiona Ross (senior associate).

Unlock unlimited access to all Global Investigations Review content