Directors’ Duties: The UK Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

9.1 Introduction

Corporate governance has become increasingly important in the context of financial crime compliance and investigations. One reason for the development is that good corporate governance (in the enlarged sense) is a foundation for asserting substantive legal defences to allegations of misconduct. Legislative developments such as the introduction of the UK Bribery Act 2010 and the Criminal Finances Act 2017 mean that the board’s responsibilities for identification, mitigation and ongoing review of financial crime risk have a material impact on whether companies can defend allegations of criminal conduct by associated persons (those providing services to the company). The ‘adequate procedures’ and ‘reasonable prevention procedures’ defences contained in that legislation require companies to demonstrate ‘top-level commitment’ to managing financial crime risk and to show that they have understood and managed their financial crime risks proportionately by reference to the nature, scale and complexity of their operations. In the financial services sector, senior managers in firms subject to the Senior Managers and Certification Regime (SMCR) will have specific statements of responsibilities for which they can be held to account.

In 2014, the United Kingdom introduced deferred prosecution agreements (DPAs) as a new mechanism for resolving corporate criminal investigations where there is evidence of criminal conduct. DPAs have added to the focus on corporate governance. Factors that influence whether to offer a company a DPA resolution include whether the company has an effective compliance programme, the composition and conduct of the management team, and the extent to which corporate structures or processes have been changed to mitigate identified risks. A company’s prevention procedures are therefore relevant to corporate outcomes even where they fall short of the legislative standard required to establish a substantive defence. A company’s commitment to compliance will also be taken into account in calculating the levels of fines or other penalties.

The issue of how companies manage themselves and identify and mitigate risks has therefore become central in financial crime investigations. An investigations process may form part of a company’s prevention procedures and companies should take care to ensure that investigations are sufficiently independent and appropriately robust. Where there are allegations of misconduct that may entail significant reputational or commercial risk, the board (or a board committee or subcommittee) is likely to provide oversight of particular investigations, in addition to providing oversight of a company’s overall compliance obligations. Directors can also be compelled to give evidence as witnesses in government investigations to explain (among other issues) their company’s approach to compliance.[2]

In significant investigations, and subject to managing conflicts of interest, the board is likely to be involved in making strategically important decisions such as whether to self-report suspected misconduct and how to resolve findings of misconduct.

It is therefore important that directors are aware of the multiple sources of their duties and obligations and how they are likely to apply both to the board’s oversight obligations regarding the management of financial crime risk and in specific investigations.

9.2 Sources of directors’ duties and responsibilities under UK law

The core corporate duties owed by directors to their companies are set out in sections 171 to 177 of the Companies Act 2006 (CA 2006). Directors may also have additional statutory and regulatory duties depending on the company they serve. The commentary below identifies and explains the key sources of governance obligations for directors in the United Kingdom. As part of its reform of audit and corporate governance, the government intends to give the Audit, Reporting and Governance Authority (ARGA, the proposed successor to the Financial Reporting Council (FRC)) new powers to investigate and sanction breaches of corporate reporting based on CA 2006 and audit-related responsibilities by directors of public interest entities. ARGA will also have the power to hold directors to account should their conduct fall short of certain behavioural or conduct expectations notwithstanding compliance with the letter of the law.

9.2.1 Companies Act 2006 The duty to act within powers (section 171)

Directors may not abuse their powers. They must act in accordance with the company’s constitution, which includes its articles of association, resolutions, decisions and investment agreements. In addition, directors may only exercise their powers for the purposes for which they are conferred, called the ‘proper purpose test’. The question of whether a power has been exercised properly will turn on whether the ‘substantial’ or ‘dominant’ purpose for which it was exercised was the purpose for which it was conferred.[3] Directors must not exercise their powers to protect their own positions. If power is exercised for a wrongful purpose, the use to which that power is put is voidable.

In the context of a financial crime investigation, it would be an improper use of power if a director sought to prevent, control or influence an investigation to protect his or her own position. A director in this position would also have a conflict of interest, which would engage the separate duty to avoid conflicts of interest. The conduct would also likely breach the duty to promote the success of the company. Investigators must always be alive to the risk of conflicts of interest within the investigation team and in the reporting line. Duty to promote the success of the company (section 172)

The duty to promote the success of the company is relevant to almost everything a director does. The duty requires directors to act in good faith in a way they consider would be most likely to promote the success of the company for the benefit of its members as a whole. The courts will typically respect the decisions of the board provided that they reach the standard of a good-faith business judgement.

When discharging their duties to promote the success of the company, directors must have regard to a list of factors, including:

  • the likely consequences of any decision in the long term;
  • the interests of the company’s employees;
  • the need to foster the company’s business relationships with suppliers, customers and others;
  • the impact of the company’s operations on the community and the environment;
  • the desirability of the company maintaining a reputation for high standards of business conduct; and
  • the need to act fairly as between members of the company.

The list of factors is not exhaustive. Directors may balance the various factors and they must take into account any other factor that would be relevant to a particular decision.[4]

The Association of General Counsel and Company Secretaries of the FTSE 100 (GC100) and the Chartered Governance Institute have published useful, practical guidance notes relevant to the interpretation and application of this duty.[5] The GC100 Guidance on Directors’ Duties: Section 172 and Stakeholder Considerations (GC100 Guidance) states:

The factors are designed to ensure that, in promoting the success of the company, broader implications of decisions are considered by the directors. You may find it helpful to see the duty as about creating a culture in the business, so that when you take decisions, their wider impact has been considered.[6]

An interesting application of the duty to promote the success of the company to investigations is that where directors may be implicated in misconduct, they must disclose their own wrongdoing.[7] A director who asserts the privilege against self-incrimination will therefore breach this duty.

In insolvency situations, the interests of creditors will take precedence over the interests of members. This can materially change how the board approaches an investigation. A company’s solvency position can change for reasons unrelated to the investigation but also for reasons central to the investigation, such as where there has been an internal fraud. If there are concerns about the company’s solvency, directors should proactively seek legal and financial advice as to their altered duties. The duties owed under sections 171 to 177 of the CA 2006 do continue even after the relevant company has entered into an insolvency procedure.[8]

Since 2019, UK-incorporated companies (with the exception of those qualifying as medium-sized) have been required to include a specific statement in their public annual reporting describing how the directors have had regard to the factors in section 172 of the CA 2006 when performing their duty under that section. The statement is designed to ensure greater transparency around the steps the directors have taken to recognise fully their responsibilities to key stakeholders, relationships and other environmental, social and governance factors that are critical to the long-term sustainable future of the company’s business. The FRC has published guidance to assist companies with their reporting in this area, together with practical reports focusing on how reporting can better meet investor expectations.[9]

General oversight obligations and oversight of material investigations

The section 172 duty to promote the success of the company is central to the directors’ obligations to ensure that a company identifies and mitigates its financial crime risks.

The GC100 Guidance recommends that directors ensure that they receive the information they need to carry out their roles and satisfy the duty. In the context of the board’s oversight duties in relation to compliance, directors should satisfy themselves that both the quality and frequency of the management information they receive is adequate. Directors need to understand the company’s risk profile and risk assessment, and how the compliance programme responds to these risks. In addition, directors should expect to receive periodic reporting to satisfy themselves that the procedures adopted remain fit for purpose. There is no one-size-fits-all approach, and the detail and frequency of management information will depend on the size, complexity and risk profile of the organisation. Data about non-material issues and investigations will often be aggregated and shared annually. Where the board has oversight of a material investigation, they are likely to require more detailed information and regular information flows. The company should consider the issue of legal privilege in this regard.

Where boards are receiving legally privileged advice about investigations or material compliance issues, how it is communicated to the board and documented in the minutes will need to be carefully managed. The GC100 Guidance states that directors should not be ‘forced to evidence their thought processes’ as this would create unnecessary process and ‘inevitably expose directors to a greater and unacceptable risk of litigation’. Duty to exercise independent judgement (section 173)

Directors must exercise independent judgement in the interests of their own company, regardless of whether they align with the interests of other group companies. The principle that underpins this duty is that directors must not subordinate their powers to the will of others unless they are authorised to do so under the constitution. Director nominees may therefore follow the instructions of their appointer if the company constitution so allows, provided that they are able to comply with their other legal obligations.

The duty does not prevent directors from seeking and relying on professional advice to form an opinion, provided that the decision they reach is their independent judgement.[10] Directors may also delegate their powers (although they remain responsible for their exercise) provided that such a delegation is authorised.

Directors may also be able to fetter their discretion in certain circumstances, provided that it promotes the success of the company to do so. For example, directors could bind the company to an exclusive commercial arrangement and agree to exercise their powers to ensure that the contract was carried out. Duty to exercise reasonable care, skill and diligence (section 174)

Directors must exercise reasonable care, skill and diligence in how they discharge their duties. The standard is both objective (that which would reasonably be expected of a director acting with reasonable diligence) and subjective (the general knowledge, skill and experience the particular director has). As a general rule, a non-executive director will not be expected to have the same level of knowledge of the internal workings of the business as an executive director.

Directors must satisfy themselves that they have a proper understanding of the functions and duties of directors, the fundamental principles of company law, the company’s business, the risks faced by the company and the regulatory and compliance regime in which it operates.[11] Directors should also, as a practical matter, ensure that they receive a proper induction and ongoing training to keep their knowledge, skills and experience up to date.

Directors may rely on the expertise of colleagues and advisers in discharging their functions.[12] Indeed, a failure to seek expert advice may amount to a breach of the duty. The right (or duty) to seek advice does not absolve a director from the duty to supervise the discharge of delegated functions.[13] It must be reasonable for directors to rely on the advice of colleagues or advisers.[14] For example, directors must ensure that advisers have appropriate expertise and are instructed to address relevant issues; they should also ensure that advisers are free from conflicts of interest.[15] The question of whether reliance is reasonable will depend on the circumstances.

Although there is no difference between the tests to be applied to executive and non-executive directors, the law recognises that because they fulfil different functions, they will reasonably be expected to exercise different levels of care, skill and diligence. The extent to which a non-executive director may reasonably rely on the executive directors would be fact-sensitive.[16] Non-executive directors should expect to maintain high standards. They would also be expected to properly understand any activity that contributed significantly to a company’s commercial offering or revenues.[17] Duty to avoid conflicts of interest (section 175)

Companies are entitled to the benefit of impartial decision-making by their directors. Directors therefore have a duty to avoid actual and potential conflicts between their personal interests and those of the company even where they are acting in good faith. The duty is widely drawn. Section 175 of the CA 2006 states: ‘A director of a company must avoid a situation in which he has, or can have, a direct or indirect interest that conflicts, or possibly may conflict, with the interests of the company.’ The reference to indirect interests requires directors to take account of whether persons connected with them[18] might have a conflict of interest.

The application of the duty is acute where it involves the exploitation of a company’s property, information or opportunity, and it is immaterial whether the company could itself have taken advantage of the opportunity or whether it suffered any loss. The test is an objective one and directors must therefore analyse whether a reasonable person would think that the relevant facts and circumstances gave rise to a real and sensible possibility of conflict. If the situation cannot reasonably be regarded as giving rise to a conflict of interest, the duty will not be breached.[19]

The duty will not be infringed where the conflict has been authorised in advance by the directors in accordance with the provisions of the CA 2006.[20] The authorisation will only be effective if the relevant meeting is quorate without counting any interested directors and the authorisation was given without counting their votes. Effective authorisation will require directors to give full disclosure of the scope and nature of the conflict.[21] Directors will not infringe their duties if they act in accordance with provisions in the company’s articles for dealing with conflicts of interest.[22] Duty not to accept benefits from third parties (section 176)

Directors must not exploit their positions for personal benefit (financial or non-financial). The duty provides that directors must not accept a benefit from a third party conferred by reason of their being a director or their doing (or not doing) anything as a director.[23] The duty will not be infringed if the acceptance of the benefit cannot reasonably be regarded as likely to give rise to a conflict of interest. The duty is very strict and directors need to take account of these obligations when accepting corporate hospitality or gifts. Although in a bribery investigation the focus will be on whether benefits provided to directors or the company were criminal, it is important not to lose sight of this duty where the conduct concerns individual directors. A company may recover the value of any benefits unlawfully received by a director through civil proceedings, and not just criminal action. Duty to declare an interest in a proposed transaction or arrangement (section 177)

Section 177 of the CA 2006 requires a director to disclose to the other directors the nature and extent of any interest that the director has in relation to a proposed transaction or arrangement with the company. There is no requirement for authorisation. The term ‘arrangement’ is wider than the term ‘transaction’ and includes agreements or understandings having no contractual effect. The interest can be direct or indirect and therefore the interests of connected person must be considered.[24] The director’s disclosure must be made before the company enters into the transaction or arrangement.

Directors need not make a declaration where they are unaware of having an interest or are unaware of the transaction or arrangement in question. However, they will be assumed to have knowledge of matters of which they ought reasonably to be aware. Directors will therefore need to undertake a certain amount of due diligence regarding their potential interests to avoid breaching the duty.

If the interest cannot reasonably be regarded as likely to give rise to a conflict of interest, it need not be declared. Similarly, no declaration is required if the other directors are already, or ought reasonably to be, aware of the conflict of interest. Finally, interests relating to a director’s service contract need not be declared if they have been considered by a meeting of the directors or a committee appointed for the purpose.

The company’s articles may contain provisions for dealing with conflicts of interest compliance that are designed to prevent a breach of the general duty.[25] Section 182 of the CA 2006 deals separately with declarations of interest in existing transactions or arrangements not already declared under section 177.[26] Other statutory, common law, equitable and regulatory duties

The statutory duties summarised above are not exhaustive. Directors of all UK companies also owe a duty of confidentiality to the company and have duties to act fairly as between different members and consider the interests of creditors in appropriate circumstances. Directors also have numerous reporting obligations. Other obligations will depend on the nature of the company and its business (including where it is regulated).

9.2.2 UK Corporate Governance Code

Companies with a premium listing of equity shares that have been admitted to trading on the Main Market of the London Stock Exchange are required by the Financial Conduct Authority’s (FCA) Listing Rules[27] to state in their annual report and accounts how they have applied the overarching principles of good governance set out in the FRC’s UK Corporate Governance Code (2018)[28] throughout the financial year and whether or not they have complied with the UK Corporate Governance Code’s specific governance provisions. Companies that have not complied with all relevant provisions must explain their reasons for not doing so. This flexible ‘comply or explain’ approach is designed to promote transparency about the company’s approach to governance, either through a confirmation of adherence to FRC recommended standards or through the provision of a meaningful and robust explanation of non-compliance that enables stakeholders to assess whether the alternative approach taken by the board nevertheless achieves effective governance. The FRC is increasingly scrutinising the quality of governance reporting, and will continue to do so given the proposed extension of its review remit under the government’s audit and governance reforms.

The current UK Corporate Governance Code is the latest iteration of a code of best practice that was first published in 1992. It is periodically reviewed and refreshed to respond to changes in law and best practice. The FRC will consult on further changes in 2023 to reflect the government’s audit and governance reforms, with a view to a revised edition provisionally applying to financial periods commencing on or after 1 January 2024.

The UK Corporate Governance Code currently comprises five pillars:

  • board leadership and company purpose;
  • division of responsibilities;
  • composition, succession and evaluation;
  • audit, risk and internal control; and
  • remuneration.

The UK Corporate Governance Code sets out a number of principles in relation to each of these. Although they are all relevant to the identification and management of financial crime risk and the investigation of issues arising, the principles linked to board leadership and company purpose, division of responsibilities, and audit, risk and internal control are the most relevant.

Principles relating to board leadership and company purpose require directors to act with integrity. They must ensure that they establish a framework of prudent and effective controls to assess and manage risk in which the workforce should be able to raise any matters of concern.

The principles linked to the division of responsibilities highlight that the chair should facilitate board relations and the effective contribution of all the non-executive directors. The chair should also ensure that directors receive accurate, timely and clear information. The board must ensure through its composition that no one individual or group dominates the board and that there is a clear division of responsibility between the leadership of the board and the executive leadership of the business.

The principles further provide that non-executive directors must have sufficient time to meet their responsibilities and ‘should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account’.[29] The company secretary should support the board to ensure that it has what it needs to function effectively and efficiently. This will include making time and proper information available to the board to discharge its oversight responsibilities.

The principles that underpin the section on audit, risk and internal control are of particular relevance in managing financial crime risk. They state:

  1. The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
  2. The board should present a fair, balanced and understandable assessment of the company’s position and prospects.
  3. The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

The audit committee is key in how the company complies with these obligations. The UK Corporate Governance Code sets out the requirements for the audit committee, which is responsible for, among other items:

  • reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself;
  • monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board;
  • reviewing and monitoring the external auditor’s independence and objectivity;
  • reviewing the effectiveness of the external audit process, taking into consideration relevant UK professional and regulatory requirements . . .[30]

The board retains overall responsibility for assessing and managing the ­company’s risks. Boards must carry out a robust assessment of the company’s emerging and principal risks, have in place procedures to identify its emerging risks and explain how these are being managed or mitigated. The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. In light of the government’s audit and governance reforms, the FRC intends to consult on the inclusion in the UK Corporate Governance Code of an explicit statement from the board about its view of the effectiveness of the internal control systems (including financial, operational and compliance systems) and the basis for its assessment which, once implemented, will go beyond the current expectations of the Code, which does not include a specific requirement for boards to report whether they consider the control systems to be adequate or effective following their review. Reforms will also require directors to state whether they plan to seek any external assurance of their internal controls reporting.

Separately, the FRC has published various guidance notes to assist companies in applying the principles and complying with the provisions of the UK Corporate Governance Code. The most significant of these include the FRC’s Guidance on Board Effectiveness (2018), its Guidance on Audit Committees (2016), and its Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014). The FRC intends to update each of these to ensure that the guidance is fully aligned with any changes to the UK Corporate Governance Code following the government’s audit and governance reforms.

The UK Corporate Governance Code does not override or seek to interpret the general duty under section 172 of the CA 2006 to promote the success of the company. However, it is clear from the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, in particular, that many of the suggestions for how to identify and manage risk (as set out in Appendix C) will apply in both the context of the general section 172 duty and also the duty to exercise reasonable care, skill and diligence.

9.2.3 Governance arrangements for other listed companies

Companies with a standard listing of equity shares that have been admitted to trading on the Main Market of the London Stock Exchange must also report on their corporate governance arrangements under the FCA’s Disclosure Guidance and Transparency Rules (DTR) 7.2. This requires the inclusion of a statement in the annual report that, among other matters, identifies the governance code the company applies (or an explanation where it does not apply a code) and discloses and explains any departures from it. The statement must include other prescribed regulatory disclosures, including, in particular, a description of the main features of the issuer’s internal control and risk management systems in relation to the financial reporting process. Many standard-listed companies choose to apply the UK Corporate Governance Code voluntarily.

Since 2018, companies listed on the London Stock Exchange’s AIM market[31] must adopt and identify a recognised corporate governance code. Such companies must also set out how they comply with that code or explain their reasons for non-compliance.[32] While the London Stock Exchange does not prescribe any recognised codes, it has referred to both the UK Corporate Governance Code and the governance code published by the Quoted Companies Alliance (the QCA Code) as established benchmarks for AIM companies. The QCA Code is intended to provide small and mid-sized UK quoted companies with a governance framework tailored to their needs and that is less prescriptive than the UK Corporate Governance Code. The QCA Code consists of 10 corporate governance principles built around core themes of delivering growth, maintaining a dynamic management framework and building trust. It also provides step-by-step guidance on how to apply the principles effectively and the related disclosures companies should make. Of particular relevance are Principles 4, 8 and 9. Principle 4 requires a description of how the board has embedded effective risk management to execute and deliver strategy, including a description of what the board does to identify, assess and manage risk, and how it gets assurance that the risk management and related control systems in place are effective. Principle 8 seeks to promote a corporate culture based on ethical values and behaviour. Principle 9 requires the maintenance of governance structures and processes that are fit for purpose and support good decision-making by the board.

9.2.4 Governance principles for large private companies

In recent years, the government has extended its focus on corporate governance to very large UK-incorporated companies. This is in recognition that large private companies represent a substantial and expanding part of the economy. Specifically, the CA 2006 requires UK companies with either (1) more than 2,000 employees globally or (2) an annual turnover of more than £200 million and a balance sheet total over £2 billion globally to include a statement as part of their reporting identifying which corporate governance code, if any, has been applied and how.[33] Any departures from the code and the reasons for them must be disclosed. If the company has not applied a corporate governance code, the statement must explain why and what arrangements for corporate governance were applied. Statements must also be published on a website maintained by or on behalf of the company.

Under the leadership of the Wates Committee, the FRC and others have developed the Wates Corporate Governance Principles for Large Private Companies to assist with governance reporting.[34] These set out six principles that such companies should consider within the context of the ­company’s specific circumstances and are supported by accompanying guidance to help companies in explaining their approach to applying each principle. The guidance does not, however, need to be reported against on a ‘comply or explain’ basis as is the case under the UK Corporate Governance Code.

The two principles most relevant to financial crime investigations are Principles 3 (Director responsibilities) and 4 (Opportunity and risk). Principle 3 requires the board and individual directors to have a clear understanding of their accountability and responsibilities, and states that the board’s policies and procedures should support effective decision-making and independent challenge. The responsibility for reviewing the governance processes to confirm that they remain fit for purpose and considering any initiatives that could strengthen them resides with the chairman and company secretary. The guidance also emphasises the importance of the integrity of information and that the board papers and supporting information should inform the directors what is expected of them on each issue.

Principle 4 states that the board is responsible for a company’s overall approach to strategic decision-making and both financial and non-financial risk management, including reputational risk. The board must have oversight of risk and how it is managed, and provide appropriate accountability to stakeholders: ‘The size and nature of the business will determine the internal control systems put in place to manage and mitigate both emerging and principal risks. Some companies may decide to delegate to a committee to oversee such matters.’ The accompanying guidance further elaborates on the board’s responsibilities in this area.

9.2.5 Senior managers regime

The joint Prudential Regulation Authority (PRA) and FCA regime for supervising and approving the conduct of individuals in regulated firms, the SMCR, replaced and extended the previous oversight rules for individuals, the Approved Persons Regime. This was a response to the perceived ‘firewall of accountability’ protecting senior management from regulatory enforcement. The SMCR is intended to clarify and enhance the division of responsibilities in firms, improve the conduct of all staff and make disciplinary action against individuals easier for the PRA and FCA (the regulators).[35]

The SMCR regulates individuals in three segments, divided roughly according to seniority:

  • Senior managers are the most senior individuals responsible for managing aspects of a firm’s affairs that risk serious consequences for the firm or business in the United Kingdom.[36]
  • Certification regulates other individuals in firms that the FCA considers conduct types of roles that carry a risk of significant harm to consumers or the market.[37]
  • The conduct rules govern the behaviour of all other employees within firms whose roles relate to regulated or unregulated financial services activity.

There is no territorial limit, so the SMCR can capture individuals based overseas, and is not limited to employees.

Banks, insurers and the largest FCA regulated firms must also submit to the regulators a very detailed ‘responsibilities map’ of senior individuals, oversight, governance and reporting lines, and a statement of responsibilities for each senior management function manager (SMF manager) setting out what matters that individual is responsible for. The documents must explain to whom certain standard ‘prescribed responsibilities’ designated by the regulators have been allocated. These documents must be kept up to date.

Only SMF managers are now approved as fit and proper by the regulators: in contrast to the previous approved persons regime, certified persons (who will in many cases include individuals previously approved by the FCA) will now only be certified as fit and proper by their employer firms, not the regulators. Firms must test and confirm the fitness and propriety of SMF managers and certified staff annually. This is likely to lead to more employment claims from staff who lose their certification.

The regulators can take disciplinary action against individuals in any of these three categories for breach of the conduct rules or for being ‘knowingly concerned’ in the firm’s breach of the regulatory regime. In addition to the previous ‘knowing concern’ test, there is a further statutory test[38] for taking action against a senior manager where (1) the firm breaches a regulatory rule or requirement, (2) the senior manager was at the time responsible for the activities of the firm where the breach occurred and (3) the senior manager failed to take reasonable steps to prevent, or stop, the breach. The test imposes a ‘duty of responsibility’ on senior managers, which has made the record-keeping of decisions and execution of duties more important.

Complementary rules on handover arrangements where senior managers depart, notifications of breaches to the regulators, and requirements for detailed regulatory references when certified or senior management staff leave a firm are designed to enhance the effectiveness of the regime.

Consequences of breach

The potential consequences for staff subject to the conduct rules who are found by the relevant regulator to have engaged in misconduct or market abuse include a private warning, public censure, unlimited financial penalty and, in the case of SMF managers, a restriction, suspension or prohibition from carrying on a relevant role. While some forms of directors’ and officers’ insurance cover the costs of representing an individual in an investigation, the FCA has drafted rules to ensure a financial penalty is paid by the person on whom it is imposed. GEN 6.1.4A of the FCA Handbook prohibits a regulated firm from paying any financial penalty imposed on an employee, a director or a partner of the firm or of an affiliated company. GEN 6.1.5 is widely drafted to prohibit insurance arrangements designed to indemnify any person against all or part of a financial penalty.

9.3 Expectations, not obligations

A recent judgment handed down in the context of approving a deferred prosecution agreement[39] may illustrate changing expectations of how boards will behave where internal investigations identify evidence of possible criminal conduct. In this case the company had no obligation to self-report concerns about misconduct and chose not to do so. The judge observed that:

the main Board . . . was primarily concerned to minimise the adverse consequences of the offending for the Group. In my judgment the proper course for it to have adopted, not as a matter of legal duty, but as a matter of ethical corporate governance was to report the known facts to the SFO. . . . I accept that there was no legal requirement to report suspected crime to the authorities, but there is a moral duty on all citizens in this respect which extends at least equally to corporations. This failure by the Board of FWL was deplorable.

These comments are interesting for numerous reasons. In the context of this chapter, we limit our remarks to noting that the judge’s observations are not binding law but may illustrate the changing expectations in respect of board behaviour, and the risk of judicial criticism where they are not met.

9.4 Conclusion

There are many and varied sources of corporate governance obligations and related duties on boards and companies. Although the standards expected of the board as a collective and directors individually will vary depending on the company (listed, regulated, subject to the SMCR, large, complex and so on) and the issues involved, there is considerable convergence in relation to the types of behaviour that are regarded as constituting good practice for identifying and managing risk (including financial crime risk). Directors must ensure that they understand their duties and obligations and their application to their compliance oversight obligations.


[1] Nichola Peters, Michelle de Kluyver and Jaya Gupta are partners at Addleshaw Goddard LLP.

[2] While directors can also become suspects in an investigation, this chapter focuses on oversight responsibilities and not directors’ individual defence rights.

[3] Howard Smith Ltd v. Ampol Petroleum Ltd [1974] A.C. 821; Eclairs Group Ltd v. JKX Oil & Gas Plc [2015] UKSC 71; [2016] 3 All ER 641.

[4] Re Phoenix Contracts (Leicester) Ltd [2010] EWHC 2375 (Ch).

[5] The GC100 Guidance on Directors’ Duties (2007), and Guidance on Directors’ Duties: Section 172 and Stakeholder Considerations (2018); Chartered Governance Institute’s Guidance Note Directors’ General Duties (2020).

[6] The GC 100 Guidance on Directors’ Duties – Section 172 and Stakeholder Considerations (2018), p.3.

[7] Item Software (UK ) Ltd v. Fassihi [2004 ] EWCA Civ 1244.

[8] As discussed in Hunt (as Liquidator of System Building Services Group Ltd) v. Michie & Ors [2020] EWHC 54 (Ch).

[9] See the Financial Reporting Council’s (FRC) Guidance on the Strategic Report (2018) and the FRC Financial Reporting Lab’s Section 172 Statements – How to make them more useful (2020) and Reporting on stakeholders, decisions and Section 172 (2021).

[10] Duomatic Ltd, Re [1969] 2 Ch. 365; [1969] 2 WLR 114; (1968) 112 SJ 922.

[11] Raithatha (as liquidator of Halal Monitoring Committee Ltd) v. Baig [2017] All ER (D) 244.

[12] Duomatic Ltd (see supra note 10).

[13] Bradcrown Ltd, Re [2002] B.C.C. 428; [2001] 1 B.C.L.C. 547.

[14] Coleman Taymar Ltd v. Oakes [2001] 2 B.C.L.C. 749.

[15] Iesini v. Westrip Holdings Ltd [2009] EWHC 2526 (Ch); [2010] B.C.C. 420; [2011] 1.

[16] Equitable Life Assurance Society v. Hyman [2002] 1 A.C. 408; [2000] 3 WLR 529; [2001] Lloyd’s Rep. IR 99.

[17] Continental Assurance Co of London Plc (In Liquidation), Re [2001 All ER (D) 229; Raithatha (as liquidator of Halal Monitoring Committee Ltd) v. Baig [2017] All ER (D) 244; Barings Plc (No. 5), Re, Secretary of State for Trade and Industry v. Baker [1999] 1 B.C.L.C. 433.

[18] By reference to the list set out in the Companies Act 2006 (CA 2006), s.252.

[19] CA 2006, s.175(4)(a).

[20] ibid., s.175(4)(b).

[21] The GC100 has published guidance on Directors’ Conflicts of Interest (2008), which includes guidance on authorisation.

[22] CA 2006, s.180(4)(b).

[23] ibid., s.176.

[24] See ibid., s.252.

[25] ibid., s.180(4)(b).

[26] Breach of CA 2006, s.182 is a criminal offence.

[27] A company with a premium listing of equity shares must also report on its governance arrangements in a corporate governance statement required by Rule 7.2 of the FCA’s Disclosure Guidance and Transparency Rules. However, a company that complies with the Listing Rule requirement to report against the UK Corporate Governance Code on a ‘comply or explain’ basis will satisfy the requirements of DTR 7.2. A premium listed company must also comply with the Listing Principles and Premium Listing Principles within the FCA’s Listing Rules, including taking reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations.

[29] UK Corporate Governance Code, Principle H..

[30] UK Corporate Governance Code, Provision 25.

[31] AIM – the international market for smaller, growing companies operated by the London Stock Exchange.

[32] AIM Rules, Rule 26.

[33] Premium and standard listed companies required to report on their corporate governance arrangements under the FCA’s Disclosure Guidance and Transparency Rules (DTR) 7.2 are not within scope. Community interest companies and charitable companies are also exempted.

[35] Firms caught by the SMCR will either report solely to the FCA (solo-regulated) or to both the FCA and PRA (dual-regulated). A firm’s reporting route will depend on whether it is dual- or solo-regulated.

[36] The description set out in s.59ZA, Financial Services and Markets Act 2000 as amended Financial Services (Banking Reform) Act 2013. This is the legislative provision empowering the PRA and FCA to designate senior manager functions.

[37] This paraphrases the description set out in s.63E of the Financial Services and Markets Act 2000 (as amended, ibid.), which is the legislative provision empowering the PRA and FCA to designate certification functions.

[38] In the Financial Services and Markets Act 2000 (as amended), s.66A.

[39] Director of the Serious Fraud Office v. Amec Foster Wheeler Energy Limited [2021] Lloyd’s Rep. FC Plus 27.

Unlock unlimited access to all Global Investigations Review content