United Kingdom

The questions have been answered from the perspective of the laws of England and Wales. Different considerations may, however, apply in the legal regimes of Scotland and Northern Ireland. References to ‘England’ and ‘English law’ should be taken as referring to ‘England and Wales’ and the ‘laws of England and Wales’.

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

Since publication of the previous edition of this chapter, there have been a number of high-profile resolutions and continuing corporate investigations, as summarised below. However, there have not been any new deferred prosecution agreements (DPAs) in this period, with the most recent being that entered into by the Serious Fraud Office (SFO) in July 2021 with two, as yet, unnamed companies.

Serious Fraud Office

Glencore Energy (UK) Ltd

In June 2022, Glencore Energy (UK) Ltd, a subsidiary of the Anglo-Swiss global mining group Glencore, pleaded guilty to seven counts of bribery in connection with its operations in several African countries. Glencore admitted to paying bribes between 2011 and 2015 of more than US$28 million for preferential access to oil – including increased cargoes, valuable grades of oil and preferable dates of delivery – across its oil operations in Nigeria, Cameroon, Ivory Coast, Equatorial Guinea and South Sudan.

This guilty plea formed part of a reportedly US$1.1 billion global resolution that Glencore reached with the authorities in the United States, Brazil and the United Kingdom. Investigations by the Dutch and Swiss prosecutors in relation to alleged corruption in the Democratic Republic of the Congo are continuing.

Following its guilty plea, Glencore was convicted on all charges brought by the SFO, including five charges under section 1 of the Bribery Act 2010 (UKBA) and two charges relating to the corporate offence of ‘failure to prevent bribery’ under section 7 of the UKBA. In November 2022, Glencore was ordered to pay a total financial penalty of almost £281 million, comprised of a fine of £183 million, a confiscation order of £93.5 million and prosecution costs of £4.5 million. This is the largest confiscation order to date for an SFO case and the total financial penalty is the highest ever ordered in a UK corporate criminal conviction.

Rio Tinto

In July 2017, the SFO announced a criminal investigation into suspected corruption in relation to the conduct of business by the mining group Rio Tinto in the Republic of Guinea. The investigation reportedly relates to an alleged US$10.5 million payment made in 2016 to a consultant to help secure two development blocks for the company at an iron ore project in the West African nation. In November 2016, Rio Tinto self-reported to the SFO, the US Department of Justice and the Australian Securities and Investments Commission and dismissed two senior employees over the payment.

Rather unusually given the strict confidentiality undertakings that generally apply to the DPA process, it was reported in July 2020 that Rio Tinto and the SFO were discussing the potential resolution of the investigation via a DPA. However, as both the company and the SFO declined to comment, it is difficult to assess the accuracy of the report.

ENRC

In April 2013, the SFO announced a criminal investigation into mining conglomerate ENRC Ltd (previously named ENRC Plc) (ENRC) and its group in relation to alleged fraud, bribery and corruption in Kazakhstan and Africa. Though this investigation remains ongoing, recent developments have been highly damaging for the SFO.

In the two years prior to the SFO opening its investigation, ENRC had retained the services of international law firm Dechert LLP, which had acted principally through its then partner Neil Gerrard. Following a breakdown in relations between ENRC and Dechert, ENRC sued its former lawyers and the SFO in High Court civil proceedings alleging that (1) Mr Gerrard acted deliberately and at least recklessly, without the authority of ENRC and against its interests, with the ultimate aim of inflating Dechert’s fees and (2) the SFO was complicit, in that it knew or was reckless as to the fact that Mr Gerrard was acting without authority and against his client’s own interests. In May 2022, the High Court found that the allegations against Mr Gerrard were well-founded, in that he had deliberately leaked privileged and confidential information to the press, tipped off the SFO and acted in reckless breach of duty by having a number of unauthorised contacts with the SFO. The Court also found that the SFO had acted in breach of duty by receiving tip-offs from Mr Gerrard and participating in the unauthorised contacts, finding that the SFO was motivated by ‘bad faith opportunism’.

A hearing to assess damages and costs is yet to take place. In the meantime, the SFO’s criminal investigation into ENRC is believed to be continuing.

Financial Conduct Authority

Carillion plc (in liquidation)

In July 2022, the FCA published decision notices in relation to the former construction and facilities management group Carillion plc and three of its former executives. The FCA found that, in breach of the Market Abuse Regulation (EU) No. 596/2014 and the applicable Listing Rules, Carillion recklessly published announcements that were misleading and did not fully or accurately disclose the true financial performance of the group. In particular, the announcements did not reflect the significant deterioration in the expected financial performance of its UK construction business and the increasing financial risks associated with it. The FCA imposed a public censure on Carillion but explained that, were it not for Carillion’s financial circumstances, it would have imposed a financial penalty of almost £38 million. The three individuals, but not Carillion, have referred their decision notices to the Upper Tribunal for reassessment.

National Westminster Bank Plc

In December 2021, following an investigation by the FCA into the activities of National Westminster Bank Plc (NatWest) and it pleading guilty, the bank was convicted of three offences of failing to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and fined more than £264 million. The charges covered NatWest’s failure to properly monitor the activity of a commercial customer (a jewellery business) in relation to which the bank was originally not to handle cash. However, in the event, NatWest accepted cash deposits of approximately £264 million. This was the first criminal prosecution under the MLRs by the FCA and the first prosecution under the MLRs against a bank.

2 Outline the legal framework for corporate liability in your country.

There is no general principle under English law that a corporate is vicariously criminally liable for the acts of its employees or agents committed in the course of their employment or agency. However, corporations can be held criminally liable via attribution of the state of mind of relevant senior individuals or via certain ‘strict liability’ offences.

Identification doctrine

The traditional, and default, route for corporate criminal liability is via the ‘identification doctrine’, which provides that a corporate can be liable for an offence where the individual committing the offence represents that corporate’s ‘directing mind and will’ (i.e., an individual who is sufficiently senior that their conduct and state of mind can be imputed to the corporate). Under the current law, the ‘directing mind and will’ will generally be that of relevant members of the board of directors and those to whom they (or a corporate’s articles of association) have expressly delegated authority.

The SFO, among others, has called for reform several times, stating that the identification doctrine makes it ‘very difficult to hold companies with complex governance structures to account for their fraudulent conduct’. Unlike in small companies with unsophisticated structures, senior employees in larger corporates are not always privy to operational-level business decisions and it will rarely be the case that the board of directors as a whole can be deemed to have authorised alleged criminal conduct.

Issues relating to the identification doctrine recently came to a head in R v. Barclays plc [2018] (Southwark Crown Court), which was effectively upheld by the High Court in SFO v. Barclays plc [2018] EWHC 3055 (QB). In that case, fraud charges were dismissed against Barclays despite the fact that (taking the SFO’s case at its highest) the former chief executive officer (CEO) and chief financial officer (CFO) were alleged to have been involved in the relevant conduct. The High Court instead found that the bank’s directing mind and will was the full board of directors and the particular committees with delegated authority to undertake the relevant transactions. As neither the full board nor the committees authorised the CEO and CFO to enter into the relevant trans­actions, it was found that the bank could not be liable for them.

Strict liability offences

In comparison to the identification doctrine, strict liability offences provide for corporate criminal liability without the need to establish any particular state of mind on the part of the corporate or relevant employees. Strict liability offences are typically reserved for the regulatory sphere, such as in relation to health and safety or financial crime.

Among the strict liability offences are the two sets of ‘failure to prevent’ offences: the first was introduced in 2011 by section 7 of the UKBA (failure to prevent bribery) and the second can be found at sections 45 and 46 of the Criminal Finances Act 2017 (CFA) (failure to prevent the facilitation of tax evasion). This model of offence criminalises corporates for failing to prevent the criminal conduct of their ‘associated persons’ (i.e., persons who perform services for or on behalf of the corporate), subject to a defence of the corporate having had in place adequate (or reasonable) procedures designed to prevent such conduct.

Law Commission Options Paper

In June 2022, in response to the criticism that has been levelled at the identification doctrine and calls for reform, the Law Commission (a statutory independent body tasked with keeping English law under review and recommending reform) published an ‘options paper’ setting out potential options for the reform of the nation’s laws on corporate criminal liability. The options ultimately set out by the Law Commission included:

  • maintaining the status quo;
  • modifying the scope of who constitutes a corporate’s ‘directing mind and will’ under the current law;
  • the potential introduction of new corporate ‘failure to prevent’ offences in areas such as fraud and human rights abuses;
  • introducing new civil and administrative monetary penalties; and
  • enhancing corporate compliance obligations.

Significantly, the Law Commission considered and rejected the possible introduction of a general corporate ‘failure to prevent economic crime’ offence, which would encompass a wide range of financial crimes such as fraud, money laundering and false accounting.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

The United Kingdom comprises three separate legal systems: England and Wales, Scotland and Northern Ireland. As a result, each jurisdiction has its own set of regulatory and law enforcement bodies, although some bodies do exercise authority over two jurisdictions (such as the SFO) or even all three (such as HM Revenue and Customs (HMRC)).

The main law enforcement authorities that are responsible for regulating corporations in England and Wales are the following:

  • SFO: a non-ministerial department of the UK government responsible for the investigation and prosecution of serious or complex fraud, bribery and corruption.
  • National Crime Agency (NCA): a national law enforcement agency focused on the fight against organised crime; human, weapon and drug trafficking; cybercrime; border and immigration crime; kidnap and extortion; and economic crime such as fraud, money laundering, illicit finance, bribery and corruption, and sanctions evasion. The NCA tends to lead investigations involving significant, but smaller-scale and less complex, corporate crime cases than the SFO.
  • HMRC: a non-ministerial department of the UK government responsible for the administration and collection of taxes, enforcing tax laws, enforcing export controls and investigating tax and related offences, such as tax evasion and money laundering. Unlike the SFO, HMRC only has investigative powers, with prosecution decisions being taken by the Crown Prosecution Service.
  • FCA: the regulator of the financial services industry in the United Kingdom. It has a range of criminal, civil and regulatory enforcement powers, including the ability to impose civil penalties for misconduct and prosecute regulated entities for market-related offences, such as insider trading and market manipulation.
  • Competition and Markets Authority (CMA): the UK’s competition regulator responsible for promoting and strengthening competition and investigating anticompetitive activities. The CMA can impose fines for breach of competition law and prosecute cartel offences.
  • Office of Financial Sanctions Implementation (OFSI): a division of HM Treasury responsible for enforcing financial sanctions. OFSI is not a prosecutor but it can impose monetary penalties for breaches of financial sanctions and publicise details of established breaches.
  • Information Commissioner’s Office (ICO): a non-departmental public body acting as the national data protection authority and tasked with upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has the ability to levy regulatory fines for breaches of data protection legislation.
  • Insolvency Service Legal Services Directorate: the lead criminal enforcement agency for insolvency-related fraud and corporate misconduct. The Directorate conducts both civil and criminal proceedings to restrict those who have acted improperly during the course of insolvency or the life of a company, to wind up companies in the public interest and to bring to justice those who commit criminal offences within the remit of the Department for Business, Enterprise and Industrial Strategy.
  • Companies House: the UK’s registrar of companies, with powers to investigate and prosecute directors who have failed to meet certain regulatory and filing requirements.
  • Health and Safety Executive: a government agency and national regulator responsible for the encouragement, regulation and enforcement of workplace health, safety and welfare.
  • Local police forces: these have powers to investigate crime (by collecting evidence), to prevent crime (by maintaining public order and managing known offenders and suspects), and to ‘dispose’ of criminal cases (e.g., out-of-court disposals such as cautions).

From the above, it is evident that there are some potential overlaps in the jurisdictions of these law enforcement authorities. In areas of potential overlap, the authorities will generally seek to work collaboratively with one another to define their respective roles and priorities. Some authorities have agreed formal memoranda of understanding (MOUs) in this regard, setting out the high-level framework they use to co-operate with one another. Examples include the MOU between the SFO, NCA, FCA and other state bodies on tackling foreign bribery, and the generic MOU agreed by the FCA, Bank of England, Prudential Regulation Authority (PRA) and Payment Systems Regulator. Where formal MOUs are not in place, authorities may enter into arrangements with one another more informally to seek to promote co-operation, minimise duplication and coordinate their joint regulatory activities.

A number of the authorities have published guidance on the approach they take towards investigating and prosecuting corporates, including joint guidance issued by the Director of Public Prosecutions and the Director of the SFO on corporate prosecutions (other than offences of corporate manslaughter), guidance issued by the SFO on corporate co-operation, and a chapter of the FCA’s Enforcement Guide dedicated to the prosecution of criminal offences.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

In general, for a law enforcement authority to commence a criminal investigation, it must have reasonable grounds to suspect that a criminal offence has or may have been committed. However, whether the authority can exercise its statutory investigatory powers depends in part on the authority’s policies and the specific powers on which it seeks to rely.

The Director of the SFO has the power to investigate any suspected offence that appears, on reasonable grounds, to involve serious or complex fraud. Where this threshold is met and an investigation is commenced, section 2 of the Criminal Justice Act 1987 (CJA) gives the Director the power to issue a notice compelling a person to answer questions or produce documents regarding matters relevant to an investigation. The Director can do this where it appears that there is ‘good reason to do so for the purpose of investigating the affairs, or any aspect of the affairs, of any person’. Section 2A of the CJA further empowers the Director to compel the production of evidence for the purpose of determining whether to start an investigation in the first place. This more permissive power – which currently only applies in the context of overseas bribery – can only be exercised where it appears to the Director that conduct relating to such offences ‘may have taken place’. However, section 2A of the CJA may soon be broadened to apply to all offences within the SFO’s remit (see question 78 for further information).

The FCA’s policy is generally only to start an investigation, whether regulatory or criminal, where it has ‘reason to believe serious misconduct may have taken place’, even in cases where harm has not yet occurred.

HMRC’s policy is to deal with fraud using civil investigation procedures wherever appropriate, reserving criminal investigations for cases where it needs ‘to send a strong deterrent message or where the conduct involved is such that only a criminal sanction is appropriate’.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

As a first step, the recipient of a production order or notice (a Notice) may be able to agree informally with the law enforcement authority ways to narrow the scope of the information required. For example, the parties may agree that the production be limited to material arising from searches run against specific data custodians or from the application of search terms to such data.

Where this is not possible, Notices can be challenged using procedures specified in the relevant statute. For example, recipients of an information notice from HMRC can appeal the notice to the First-Tier Tribunal and recipients of production orders issued under the Proceeds of Crime Act 2002 (POCA) can apply to the issuing court to vary or discharge the order.

Alternatively, Notices can also be challenged in the courts by commencing a judicial review against the relevant authority. The main grounds for judicial review are: (1) illegality, for example where an authority has issued a Notice without the power to do so; (2) procedural unfairness, for example where the decision to issue a Notice was based on bias against the recipient; and (3) irrationality, for example where the reasons behind the decision to issue a Notice were so unreasonable that no reasonable person, acting reasonably, could have made it.

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

Individuals who assist authorities in their investigations may be granted leniency, and possibly immunity, for doing so. This can be an informal arrangement, whereby, for example, authorities elect not to pursue an individual or to do so on the basis of a less serious charge.

It is also open for authorities to issue a formal written immunity notice under section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA). Such an immunity notice protects an individual from being prosecuted for specified offences, provided that the individual complies with the requirements of the notice (which will often relate to the individual’s co-operation, such as giving evidence against others at trial). Alternatively, where an individual is prosecuted, section 73 of SOCPA enables a defendant who has provided or offered to provide assistance to an investigator or prosecutor to receive a reduction in sentence. This protection is only available to those who have tendered a guilty plea.

Such leniency is also a key feature of competition law enforcement, which is regulated by the Competition Act 1998 and the Enterprise Act 2002. Implicated persons may benefit from full immunity from, or a partial reduction in, penalties where they co-operate with investigations conducted by the CMA. A corporate or individual’s ability to benefit from immunity or leniency will depend on factors such as their order in the ‘queue’ of those who have applied for leniency and whether there is a pre-existing civil or criminal investigation into the underlying activity.

Non-prosecution agreements are not a feature of English law and DPAs are only available to corporate defendants.

7 What are the top priorities for your country’s law enforcement authorities?

The UK government’s Economic Crime Plan for 2019–2022 outlined seven strategic priorities for combating economic crime, which included better information sharing between government agencies, enhanced co-operation with international agencies and stronger powers, procedures and tools for enforcement authorities. In February 2022, the UK Treasury stated that it is on course to deliver 49 of the 52 actions set out in the Plan. As of August 2022, the Royal United Services Institute (a defence-focused policy research institute) stated that 48 per cent of the Plan’s deliverables had been completed, 15 per cent were in progress, 17 per cent were overdue and 19 per cent had no due date.

An additional means of gauging enforcement priorities can be found in the annual reports and plans issued by the key law enforcement authorities, many of which have a renewed focus on cybercrime. By way of brief overview:

  • the UK Home Office’s Beating Crime Plan issued in 2021 included in its strategic priorities a new system for the reporting of fraud and cybercrime, as well as measures for combating violent crime;
  • the NCA’s annual plan for 2022–2023 promises a renewed focus on tackling serious organised crime networks domestically and internationally. After Russia’s invasion of Ukraine, the United Kingdom established a new Combating Kleptocracy Cell within the NCA, with a view to investigating criminal sanctions evasion and high-end money laundering;
  • the SFO’s strategic plan for 2022–2025 promises ‘a period of significant change’. This is to include a reduction in the average length of investigations to three years, at least one successful outcome being achieved in more than 80 per cent of cases (such as one conviction or DPA), a 60 per cent conviction rate against those prosecuted, increased recovery rates against financial orders, and improvements in the percentage of victims and witnesses who are satisfied with the experience provided by the SFO;
  • the FCA’s strategy for 2022–2025 takes an outcomes-focused approach, based on reducing and preventing serious harm, the setting of higher standards (including a potential new ‘consumer duty’ for regulated firms to set clearer expectations as to the standard of care to be given to consumers) and the promotion of competition and greater regulatory open-mindedness; and
  • in July 2022, HMRC published a plan on tackling error and fraud in covid-19 support schemes, which will use the Taxpayer Protection Taskforce (a unit of tax specialists with experience in investigating errors and fraud) to combat fraud in government schemes and to protect taxpayers’ funds.

As set out in question 2, the Law Commission has published an options paper regarding potential reforms to the scope of corporate criminal liability under English law. Additionally, it is likely that Russia’s invasion of Ukraine (and the significant increase in the scope of the United Kingdom’s sanctions against Russia and Belarus) will lead to an increased focus on sanctions enforcement.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

The UK’s anti-bribery and tax evasion regimes criminalise a corporate’s failure to prevent bribery (UKBA, section 7) and failure to prevent the facilitation of tax evasion (CFA, sections 45 and 46). However, it is a defence to these offences if the corporate can show that it had adequate (in the case of bribery) or reasonable (in the case of tax evasion) procedures in place to prevent the conduct. Guidance as to appropriate procedures in this regard has been published, respectively, by the UK Ministry of Justice and HMRC, both of which refer to the six key principles of proportionate procedures, top-level commitment, risk assessment processes, due diligence, communication and training, and ongoing monitoring. The SFO has also published guidance on evaluating a compliance programme (dated January 2020), which emphasises that prosecutors need to assess the state of an organisation’s compliance programme over different periods (including at the time of the offending, the present and the future).

In relation to both ‘failure to prevent’ offences and other offending more generally, a corporate’s compliance programme may also be relevant to whether the public interest stage of the Full Code Test is met for bringing a prosecution and to the severity of the penalty imposed. Under the DPA Code of Practice, it is a public interest factor in favour of prosecution if the corporate had no, or an ineffective, compliance programme at the time of the offending and it has not been able to demonstrate a significant improvement since that date; while it is a public interest factor against prosecution if the corporate had a proactive compliance programme both at the time of the offending and at the time of the reporting to the authorities (and, though not specifically referred to, naturally also at the point of the investigation and resolution).

A corporate’s compliance programme can also affect the terms of the DPA itself (e.g., whether the prosecutor seeks to impose a corporate monitor) and can be a factor leading to a reduction in any financial penalty imposed. For example, the 2021 DPA between the SFO and Amec Foster Wheeler Energy Limited (AFW) imposed an ongoing obligation on AFW to review and enhance its ethics and compliance policies and procedures. AFW’s steps to improve its compliance procedures contributed, along with other factors, to an overall reduction in its financial penalty of 50 per cent.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

The regulatory framework for cybersecurity in England is set out in an assortment of statutes, regulations and sources of guidance that varyingly apply to specific organisations and sectors, as set out below. As a general principle, however, the law does not expect organisations to have impenetrable cybersecurity systems and controls. Organisations are instead required to assess the risk and perform a balancing assessment based on their particular circumstances and risk profile:

  • The retained version of the EU General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018): One of seven key principles under Article 5 of the UK GDPR applicable to all data controllers is that data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Article 32 of the UK GDPR then sets out further detail on the technical and organisational measures required to demonstrate compliance with this principle. In the event of a security event leading to a personal data breach, there is a mandatory legal duty to notify the Information Commissioner’s Office (ICO) within 72 hours of the controller becoming aware of the breach (UK GDPR, Article 33(1)). Failure to implement appropriate security measures to safeguard personal data can result in enforcement action, including the imposition of significant fines of up to 4 per cent of total annual worldwide turnover, even in the absence of a cyberattack or personal data breach. Since the GDPR took effect in May 2018, more than 900 fines have been issued across the European Economic Area and the UK GDPR fines have ramped up significantly. In October 2021, the ICO fined British Airways £20 million for a data breach affecting more than 400,000 customers, representing the ICO’s largest fine to date (though it had originally intended to issue a fine of £183 million).
  • The Network and Information Systems Regulations 2018: The Regulations establish a common level of security for key strategic network and information systems and to address the threats posed to them from cyberattacks. The Regulations apply to two groups of organisations: operators of essential services (OESs) – such as water, energy or transport, though not financial services infrastructure – and relevant digital service providers (RDSPs) – such as online marketplaces, search engines or cloud computing services. OESs face stricter security requirements than RDSPs because they typically face higher risks and service interruptions would have more severe consequences. All OESs and RDSPs must register with their relevant competent authority and maintain adequate and consistent cybersecurity measures to protect against cybercrime. Competent authorities for OESs have been assigned on a sectoral basis, while for RDSPs, the competent authority is the ICO. The Regulations provide for mandatory incident reporting, with a time limit of 72 hours (from becoming aware) for reporting any incident that has a significant effect on the continuity of the essential service. A breach of the Regulations can result in a fine of up to £17 million.
  • The Communications Act 2003: The Act requires providers of public electronic communications networks (PECNs) and public electronic communications services (PECS) to take technical and organisational measures appropriate to manage risks to the security of their networks or services, including preventing or minimising the impact of security incidents on end users. A PECN provider must notify the Office of Communications (Ofcom) of a breach of security that has a significant impact on the operation of a PECN or PECS. Ofcom may impose fines for breach of up to £2 million.
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003: The Regulations require that PECS providers take appropriate technical and organisational measures to safeguard the security of their services. These include ensuring that personal data can be accessed only by authorised personnel for legally authorised purposes; protecting personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration and unauthorised or unlawful storage, processing, access or disclosure; and ensuring the implementation of a security policy regarding the processing of personal data. Breaches must be notified to the ICO without undue delay and, where feasible, no later than 24 hours after detection. The ICO has the power to impose fines for breach of up to £500,000.

The National Cyber Security Centre, a branch of the Government Communications Headquarters (GCHQ), provides a unified source of advice, practical guidance and support on cybersecurity to individuals, organisations and the public sector.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

Cybercrime is a term commonly used to describe frauds attempted or committed using information technology infrastructure and the internet. Examples include unauthorised control of computers (e.g., hacking or trojan horses), denials of service (e.g., taking down a website or ransomware) and online scamming (e.g., through fake websites). The main sources of law and regulation in England relating to cybercrime are as follows:

  • The Computer Misuse Act 1990: The Act sets out the key offences of (1) causing a computer to perform any function with intent to secure access to any program or data that the person is not authorised to access (section 1), (2) committing a section 1 offence with the intention of committing further offences (section 2), (3) doing any unauthorised act in relation to a computer that a person knows to be unauthorised, with the intent to or being reckless as to whether the act will impair the operation of the computer, prevent or hinder access to any program or data, impair the operation of any program or the reliability of any data, or enable any of the foregoing to be done (section 3) and (4) making, adapting or supplying, or offering to supply, any article intending it (or believing it likely) to be used to commit or assist in the commission of an offence under sections 1 and 3 of the Act (section 3A). It is common for an offence under this Act to be charged alongside a substantive offence under the Fraud Act 2006 or the Theft Act 1968.
  • DPA 2018: Section 170 makes it an offence for a person knowingly or recklessly to obtain or disclose, procure the disclosure of, or retain personal data without the consent of the data controller.
  • The Cyber Attacks (Asset Freezing) Regulations 2019: The Regulations provide for the freezing of funds and other economic resources of relevant ‘designed persons’, being those individuals listed in an annex to a linked EU regulation as persons responsible for cyber­attacks threatening the European Union. The Regulations create offences for breaching any of the restricted conduct.
  • The Proceeds of Crime Act 2002: The Act makes provision for the confiscation and recovery of proceeds of crime, including cybercrime. In August 2019, a judge at Southwark Crown Court ordered the first-ever confiscation of cryptocurrency obtained by a hacker who was convicted of serious cybercrimes.

The National Crime Agency (NCA) is the main law enforcement authority responsible for the investigation and prosecution of cybercrime, with a dedicated National Cyber Crime Unit. However, prosecutions can also be brought by other competent authorities, such as the Crown Prosecution Service and the ICO.

Given the international nature of cybercrime, cross-border co-operation is critical. The NCA alongside other relevant law enforcement agencies can seek to make use of mutual legal assistance channels for assistance in this regard. The United Kingdom is also a party to the Convention on Cybercrime (known as the Budapest Convention), which counted 67 states as parties as of November 2022 and provides a legal framework for international co-operation with respect to cybercrime and any other crime involving electronic evidence. In December 2019, the UN General Assembly adopted a resolution to draft a global comprehensive cybercrime treaty, the negotiations for which are continuing.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

As a general rule, there is a presumption against extraterritoriality under English criminal law under which the jurisdiction of English courts is limited to conduct that occurs in England unless the express wording, purpose or context of the relevant criminal law rebuts that presumption. Examples of criminal offences that expressly have a degree of extraterritorial effect include:

  • money laundering offences under Part 7 of the Proceeds of Crime Act 2002, which can apply where a person knows or suspects that property constitutes or represents a person’s benefit from ‘criminal conduct’, where ‘criminal conduct’ is defined as conduct that constitutes an offence in any part of the United Kingdom or would constitute an offence in any part of the United Kingdom if it occurred there. However, there is a defence where the conduct is not unlawful in the foreign jurisdiction and, if it had occurred in the United Kingdom, would have attracted a maximum custodial sentence of 12 months;
  • sanctions offences, which can apply to all conduct with a UK nexus. This includes conduct abroad by UK persons, such as UK nationals or bodies incorporated or constituted within the United Kingdom, and a range of other situations. HM Treasury guidance lists conduct taking place abroad (but co-ordinated from the United Kingdom) and financial or insurance products bought on UK markets but held abroad as further examples of situations with such a UK nexus;
  • offences under the Bribery Act 2010 (UKBA), which can apply to conduct abroad by persons who have a close connection with the United Kingdom. This includes UK nationals, nationals of British overseas territories and those ordinarily resident in the United Kingdom, as well as corporates incorporated in the United Kingdom. The offence of a failure to prevent bribery under section 7 of the UKBA can also be committed by foreign-incorporated corporates that carry on business, or part of a business, in any part of the United Kingdom, even where the bribery occurs outside the territory and without the involvement of a person with a close connection with the United Kingdom; and
  • the offence of failing to prevent foreign tax evasion under section 46 of the Criminal Finances Act 2017, which provides that corporates or partnerships can be liable for an offence where persons associated with them commit a foreign tax evasion facilitation offence, provided that (1) the corporate or partnership is incorporated or formed in the United Kingdom, (2) the corporate or partnership carries on all or part of a business in the United Kingdom, or (3) any conduct constituting part of the foreign tax evasion facilitation offence takes place in the United Kingdom. Accordingly, the conduct forming the foreign tax evasion facilitation offence can take place entirely outside the territory and still be caught by this provision, although the conduct must satisfy a dual criminality test (whereby it is criminal in the overseas jurisdiction and would be criminal in the United Kingdom were it to have occurred in the United Kingdom).

Even absent such express extraterritoriality, English courts may still have jurisdiction where relevant conduct has occurred both inside and outside England. In this situation, the appropriate forum to prosecute the offence will often be determined by agreement between the relevant authorities.

Finally, certain violent or sexual offences (which cannot be committed by companies) have extraterritorial application pursuant to the Domestic Abuse Act 2021. A British national (or someone habitually resident in the jurisdiction) who commits an act abroad that constitutes an offence in that foreign country can be prosecuted under English law if, had the act occurred in England, it would constitute one of a list of specified offences.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

Naturally, investigations involving the United Kingdom and other countries will face hurdles that do not exist with purely domestic investigations owing to the differing legal regimes. These may include:

  • whether or not the United Kingdom has a mutual legal assistance treaty or other evidence-sharing arrangement with the other jurisdiction, containing a formal process under which UK authorities can enlist the assistance of foreign authorities to investigate and obtain evidence relating to an issue (for further information, see question 58);
  • differences in the other countries’ application of legal professional privilege, including the other countries’ approach to collateral waiver of privilege and limited waivers of privilege;
  • data protection laws differing between jurisdictions, and the need to ensure that the different requirements of each country’s laws are respected (for further information, see question 24);
  • differing requirements as to whether a notification of wrongdoing needs to be made to relevant authorities, which can lead to a ‘lowest common denominator’ approach whereby a disclosure obligation in one jurisdiction leads to disclosure across all jurisdictions;
  • rules relating to the admissibility of certain forms of evidence, such as in relation to intercepted communications or where witnesses or suspects abroad face human rights abuses in pursuance of an investigation;
  • political or diplomatic factors that influence the extent to which foreign law authorities are inclined to assist UK law enforcement agencies in their investigations;
  • disputes between authorities as to the appropriate forum for enforcement, and which authority’s investigations should take precedence; and
  • disruption caused by UK authorities no longer having access post-Brexit to criminal databases and information gateways used across the European Union. For example, the European Criminal Records Information System (ECRIS) is a database that enables EU Member States quickly to exchange and access information concerning EU nationals’ criminal records. The United Kingdom lost access to ECRIS after the expiry of the transition period following its exit from the European Union and authorities now have to wait up to 20 working days before they can obtain such information. UK authorities have also lost access to the Second Schengen Information System, which is a database used by border control and law enforcement authorities across the European Union and associated countries, enabling real-time alerts to be generated concerning individuals or objects that are (for example) missing or sought for arrest or seizure.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

Under English criminal law, the doctrine of double jeopardy states that no person may be prosecuted twice for an offence where charges have already been resolved in relation to the same conduct. This resolution could be by way of a conviction, acquittal, withdrawal of charges or a settlement, such as a deferred prosecution agreement (DPA).

Although this doctrine clearly applies in the domestic arena, it is uncertain whether it extends to circumstances where the prior resolved charges were in another country. However, domestic enforcement agencies such as the Serious Fraud Office (SFO) have previously accepted this to be the case (even without the English courts ruling on the issue). For example, in 2011, Depuy agreed a DPA with the US Department of Justice in relation to breaches of the US Foreign Corrupt Practices Act 1977. On reviewing the case, the SFO ultimately decided that the DPA in the United States amounted to the conclusion of a prosecution that punished the same conduct that had formed the basis of the SFO’s investigation. Accordingly, the SFO determined that a further prosecution by it would amount to double jeopardy (although the SFO still successfully obtained a civil recovery order of more than £4.8 million against Depuy in relation to its related conduct).

In practice, domestic enforcement agencies may seek to come to an agreement with foreign authorities as to the appropriate jurisdiction to investigate and prosecute particular conduct. It may be, for example, that predicate offences are tried in one jurisdiction and ancillary offences (such as those relating to money laundering) are tried in another. As well as being consistent with the doctrine of double jeopardy, this approach reduces the possibility of proceedings in one jurisdiction prejudicing concurrent proceedings in the other.

There are no ‘anti-piling on’ laws under English law analogous to those in the United States (i.e., laws or policies aimed at preventing disproportionate enforcement by multiple authorities across jurisdictions). However, domestic authorities will be mindful of the risk of double jeopardy and, as mentioned above, may work with foreign authorities to agree their discrete areas of focus. Additionally, many English authorities have entered into memoranda of understanding with one another to define the scope of their roles in cases of overlapping jurisdiction.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

Global settlements involving the United Kingdom are becoming increasingly common, especially in the context of bribery and corruption-related charges. By way of example:

  • in 2017, Rolls-Royce group companies entered into concurrent settlements with authorities in the United Kingdom, the United States and Brazil involving penalties of more than £671 million;
  • in 2020, Airbus group companies entered into concurrent settlements with authorities in the United Kingdom, the United States and France involving penalties of more than €3.6 billion; and
  • in 2021, Amec Foster Wheeler group companies entered into concurrent settlements with authorities in the United Kingdom, the United States and Brazil involving penalties of approximately US$177 million.

Practical considerations for global settlements include the nature and location of the wrongdoing and harm (and how concurrent investigations are managed in light of this), whether it is feasible for multiple investigations to be resolved at the same time, and the authorities’ appetite to co-operate with one another and reach a settlement. Achieving a simultaneous global settlement enables corporates to achieve finality over cross-border compliance issues and limits the fallout to one ‘bad news day’ (rather than multiple if the investigations are resolved at different times).

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

If a foreign authority decides to prosecute a corporate or individual, double jeopardy will apply and domestic authorities will be prevented from subsequently prosecuting them in respect of substantially the same set of facts. The effect of this is that there can be a race to charge between jurisdictions, with the first authority to charge taking control of the matter. Conversely, if a foreign authority were to decide not to charge an individual or corporate under investigation, the UK authorities would be entitled to proceed with their prosecution.

Notwithstanding the above, law enforcement authorities can conduct an investigation in respect of the same conduct being investigated by authorities abroad. Depending on the jurisdictions involved and the circumstances of the case, these law enforcement agencies may seek to co-operate with one another and come to an agreement on the scope of their respective investigations and prosecutions.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

The United Kingdom implemented EU sanctions until 11pm on 31 December 2020. Since then, the framework for the United Kingdom’s autonomous sanctions regime has been contained in the Sanctions and Anti-Money Laundering Act 2018. Under this Act, the UK government is empowered to enact sanctions regulations for one or more prescribed purposes, such as where they are in the interests of national security or further the prevention of terrorism. The sanctions regulations are either grouped by theme (relating to particular issues such as human rights) or geography (relating to a particular country or area). UK sanctions can cover not just conduct occurring within the United Kingdom but also conduct abroad by UK nationals and corporates incorporated in the United Kingdom.

The UK government has a significant degree of flexibility over the nature of sanctions it can impose but they can generally be categorised as:

  • financial sanctions, which include asset freezes against listed persons and entities;
  • trade sanctions, which include trade embargoes, export controls and restrictions on the import of certain goods;
  • immigration-related sanctions, including travel bans; and
  • transport sanctions, such as restrictions relating to aircraft and shipping.

Reporting obligations can also be imposed on UK corporates where they come into certain knowledge or develop suspicions in the course of carrying on their business.

It may be possible to apply for, and obtain, a licence permitting a person to do an act or enter into a transaction that would otherwise be prohibited. These licences are generally available in limited circumstances, although the post-Brexit regime has allowed for broader licensing grounds than were previously permitted pursuant to the EU regime, such as licences to enable ‘anything to be done to deal with an extraordinary situation’.

Breaches of UK sanctions regulations can be dealt with by way of civil monetary penalties, criminal fines and even imprisonment for up to 10 years for individuals.

Traditionally, a person needed to have the requisite state of mind – such as knowledge or reasonable cause to suspect certain matters – for their conduct to be an offence under UK sanctions laws. However, the Economic Crime (Transparency and Enforcement) Act 2022 (ECA) has empowered the UK government to impose civil monetary penalties on a strict liability basis, such that even inadvertent breaches of sanctions laws could lead to a fine of the greater of £1 million or 50 per cent of the relevant funds or resources in question.

The United Kingdom’s sanctions measures relating to Russia and Belarus have significantly broadened in scope in light of Russia’s invasion of Ukraine. At the time of writing, these restrictions do not amount to a complete trade embargo; however, there are major limitations on trade with persons connected with Russia that are likely to increase.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Sanctions enforcement is overseen by different departments, depending on the type of sanctions in question. The Department of International Trade implements trade sanctions (with the Export Control Joint Unit having responsibility over trade sanctions licensing). HM Treasury implements and enforces financial sanctions through the Office of Financial Sanctions Implementation (OFSI), albeit law enforcement agencies such as the National Crime Agency will manage criminal investigations for prosecution by the Crown Prosecution Service. Immigration sanctions are implemented and enforced by the Home Office.

Although the criminal penalties for sanctions breaches can be severe (up to 10 years’ imprisonment and an unlimited fine), up to now authorities have tended to favour the imposition of civil monetary penalties for sanctions breaches. Eight monetary penalties have been imposed by OFSI to date for breaches of financial sanctions, which have ranged from £5,000 (Raphael & Sons plc in January 2019) to more than £20 million (Standard Chartered Bank in 2020). OFSI also has the power to publish information concerning firms that have breached sanctions laws, even where it imposes no fine.

It is likely that sanctions enforcement will significantly increase in light of Russia’s invasion of Ukraine. The ECA gives OFSI increased powers to impose monetary penalties on a strict liability basis and in a report published by the House of Commons Treasury Committee on 9 June 2022, it was announced that OFSI’s headcount would at least double in size during the financial year 2022–2023.

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

In October 2022, OFSI and its counterpart in the United States (the Office of Foreign Assets Control) announced an enhanced partnership that includes the exchange of best practices and the strengthening of working relationships. Public information about the extent of co-operation between the United Kingdom and other authorities is limited, although OFSI has an international engagement branch that is designed to promote sanctions implementation between jurisdictions. The coordinated sanctions response by some nations to Russia’s invasion of Ukraine may lay the groundwork for further co-operation between OFSI and authorities in countries that have enacted measures similar to those in the United Kingdom.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Council Regulation (EC) No. 2271/96 (the EU Blocking Regulation) was retained after the expiry of the Brexit transition period, albeit with minor changes to reflect the United Kingdom’s exit from the European Union (the Retained Blocking Regulation). The effect of the Retained Blocking Regulation is to (1) prohibit UK nationals, residents and corporates from complying with certain US sanctions against Iran and Cuba that have extraterritorial effect (the Blocked Laws), (2) enable UK persons affected by such sanctions to recover damages arising from the Blocked Laws and (3) prevent foreign court rulings based on the Blocked Laws from being given effect in the United Kingdom.

Where the Blocked Laws harm the economic or financial interests of UK persons or corporates, they are required to inform the UK government within 30 days of receiving this information. In the case of UK corporates, the reporting obligation applies to directors and those with management responsibilities.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

A breach of the Retained Blocking Regulation is a criminal offence punishable by a potentially unlimited fine. However, at the time of writing, there has not been a prosecution in the United Kingdom for a breach of the Retained Blocking Regulation (or the EU law instrument in force prior to Brexit).

The Retained Blocking Regulation will lead to continued uncertainty for people and businesses subject to US and UK laws, albeit it seems that UK authorities historically have had limited appetite to investigate or enforce against breaches.

One way for corporates to mitigate this uncertainty would be to seek an authorisation from the Secretary of State for International Trade to comply with blocked US legislation, where compliance would otherwise breach the Retained Blocking Regulation. Authorisations can be applied for where, for example, non-compliance with blocked laws would ‘seriously damage [the applicant’s] interests’ or those of the United Kingdom.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

Allegations of corporate misconduct may come to light via internal sources (such as internal audits and compliance reviews, employee allegations or whistleblowing), external sources (such as external audits, litigation, press reports, social media or customer complaints) or following approaches from regulators or other authorities (whether because they have uncovered issues themselves or from third parties via reporting channels). Potential issues may also be uncovered during other internal or external investigations.

Whenever such allegations come to light, a number of decisions need to be taken by the corporate, often from a position of limited information and at a time when the business, and the individuals involved, may be under significant pressure. Key initial issues include whether to notify any relevant authorities, whether to investigate further, what is in scope, how to structure governance and reporting, and how to conduct the document preservation, collection and review exercise. If the allegations arise from a whistleblower, care will also need to be given to protecting the whistleblower’s position (see question 29).

Information gathering

22 Does your country have a data protection regime?

The data protection regime is largely set out in the retained version of the EU General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Article 5 of the UK GDPR sets out the seven key principles that lie at the heart of the approach to processing personal data: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability (under which data controllers are responsible for, and must be able to demonstrate compliance with, the foregoing principles). Article 6 of the UK GDPR then sets out the six lawful bases for processing, at least one of which must apply whenever personal data is being processed: consent; contract; legal obligation; vital interests; public task; or the legitimate interests balancing test. To lawfully process data containing particularly sensitive information (referred to as special category data), it is necessary to have both a lawful basis under Article 6 of the UK GDPR and a separate (more restrictive) condition for processing under Article 9 of the UK GDPR.

The DPA 2018 sits alongside and supplements the UK GDPR (outlining certain exemptions and additional requirements), sets out separate data protection rules for law enforcement authorities, extends data protection to certain other areas (such as national security and defence) and sets out the functions and powers of the Information Commissioner’s Office (ICO).

The Privacy and Electronic Communications (EC Directive) Regulations 2003 sit alongside the general data protection regime and set out more specific privacy rights in relation to electronic communications and electronic marketing (covering marketing calls, emails, texts, faxes, cookies and more).

In September 2021, the UK government launched a consultation on potential reforms to the current data protection regime. The consultation presented proposals regarding the reform of the ICO and the reduction of regulatory burdens on businesses. In July 2022, the Data Protection and Digital Information Bill, which captures the outcome of the consultation, was introduced for discussion in Parliament and is currently going through the legislative process.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

The ICO is the independent supervisory authority for data protection in the United Kingdom and has primary responsibility for enforcement of the data protection regime. Its enforcement powers include information notices, assessment notices, warnings, reprimands, enforcement notices and monetary penalties.

There are two tiers of monetary penalty: the higher maximum and the standard maximum. For serious infringements, the higher maximum is £17.5 million or 4 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles and individual rights under the DPA 2018, or in relation to any transfers of data to third countries. For any infringement of other provisions (e.g., administrative requirements of the legislation), the standard maximum amount will apply, which is £8.7 million or 2 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.

In most cases, the ICO will reserve its enforcement powers for more serious breaches, which will typically involve intentional or negligent acts, or repeated breaches. According to guidance issued by the ICO, it will calculate the recommended amount of a proposed financial penalty based on the seriousness of the contravention, the degree of culpability of the organisation concerned, its turnover, any aggravating or mitigating factors, the organisation’s means of paying, the economic impact, the effectiveness, proportionality and dissuasiveness of any penalty, and any early payment reduction. Factors going towards the seriousness of the contravention here include the nature, gravity and duration of the failure, any action taken by the data controller or processor to mitigate the damage suffered by data subjects, any relevant previous failures by the data controller or processor, the degree of co-operation with the ICO, the categories of personal data affected by the failure, the way the breach became known to the ICO, including whether, and if so to what extent, the data controller or processor notified the ICO of the failure, the extent to which the data controller or processor has complied with previous enforcement notices or penalty notices, and adherence to approved codes of conduct or approved certification mechanisms.

The ICO has been increasingly active in recent years (see question 9). In October 2021, it fined British Airways £20 million for a data breach affecting more than 400,000 customers and, in September 2022, it announced its provisional intention to fine TikTok £27 million for failing to protect children’s privacy. In the 12 months to September 2022, the ICO took enforcement action in approximately 50 cases.

In June 2021, the ICO obtained new powers to conduct its own financial investigations via the Proceeds of Crime Act (References to Financial Investigators) Order 2021. Accredited financial investigators at the ICO will now be able to conduct investigations, apply for restraint orders and carry out search and seizure exercises in circumstances where they believe cash has been obtained through or intended for use in criminal activities.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

As (1) internal investigations are intrinsically likely to involve the processing of personal data belonging to current and former employees and third parties and (2) engagement with law enforcement authorities will often involve requests or requirements for the disclosure of such data, it is increasingly common for data protection issues to arise in practice and lead to the need to take difficult strategic decisions. Common stages of the investigation process where such issues arise include the following.

Document preservation, collection and review

Ensuring that relevant documents are preserved is of critical importance in internal investigations and, in certain cases, it can be a criminal offence to permit the destruction or disposal of relevant documents. When putting in place document retention policies, care will need to be taken to identify a lawful basis for the preservation and to consider the principles of transparency (so that data subjects are aware of the scope and purposes of the preservation), data minimisation (so that no more data are preserved than is necessary) and storage limitation (so that data are not stored for longer than is necessary).

Where data controllers seek to rely on ‘consent’ as a legal basis for processing data, data subjects must be given a real choice to either agree or disagree to the related processing of their personal data, and also to withdraw any consent given at any time. Even if consent has been included in the employment contract, it cannot generally be relied on for these purposes as, due to the power imbalance between the employee and the employer, the consent will likely not be considered voluntary. In such situations, corporates tend to seek to rely on their ‘legitimate interests’ as the lawful basis for the processing, which requires them to show that the processing is necessary for the purposes of their legitimate interests and balance this against the interests or fundamental rights and freedoms of the data subjects. This balancing exercise and justification should be recorded in writing.

To the extent feasible, applying custodian, date and search term filters to data even prior to its ingestion into a document review database can help evidence compliance with requirements as to data minimisation and storage limitation.

Care must also be taken to identify any special category data (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and data concerning a person’s health, sex life and sexual orientation), for instance via targeted sensitive personal data reviews. Should such data be included in the document set, it may only be processed if one of the (strict) conditions under Article 9 of the UK GDPR applies. In practice, corporates tend to seek to rely on the ‘substantial public interest’ condition (though this requires the satisfaction of a number of formalities).

International data transfers (out of the United Kingdom)

Corporates may sometimes need to transfer personal data outside the United Kingdom, for instance where the help of external advisers based overseas is required or where it is necessary to share the results of the investigation with international law enforcement authorities or courts.

The UK GDPR restricts the transfer of personal data to other countries (or to international organisations) no matter how small the transfer or how often it is carried out.

An organisation considering an international data transfer must work through the following questions in order to determine whether it is able to proceed.

Is the restricted transfer covered by ‘adequacy regulations’?

The United Kingdom has adequacy regulations agreed in relation to certain countries and territories, including all European Economic Area countries and institutions, Gibraltar, countries covered by the European Commission’s adequacy decisions in force at 31 December 2020 (including Israel, New Zealand, Switzerland and Uruguay) and certain organisations in Japan and Canada.

An informal agreement between the United States and the European Union known as the Privacy Shield was adopted in July 2016 with the intention of ensuring adequate data protection for data transfers to the United States. The Privacy Shield included assurances from the US government and an adequacy decision from the European Commission that together formed the legal basis of US–EU data transfers. However, in July 2020, the European Court of Justice declared the agreement invalid, with one of the reasons being that it did not offer concrete protection of sensitive data from access by US authorities. As a result, corporates can no longer rely on the adequacy of the US data protection regime when transferring personal data to the United States. In October 2022, the UK government announced that progress had been made in relation to a potential new UK–US adequacy agreement and confirmed its intention for adequacy regulations to be put before Parliament in early 2023.

If not, is the transfer covered by appropriate safeguards?

The UK GDPR sets out a list of appropriate safeguards, which ensure that both the sender and the receiver of the transfer are legally required to protect individuals’ rights and freedoms in respect of their personal data.

One such appropriate safeguard is standard contractual clauses, under which an international transfer can be made if the sender and receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime.

Before a sender can rely on an appropriate safeguard, it must undertake a risk assessment that takes into account the protections contained in the appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to data). The transfer may only proceed if, based on this risk assessment, the sender is satisfied that the data subjects will continue to have a level of protection essentially equivalent to that under the UK data protection regime (or this can nevertheless be achieved through the inclusion of additional measures).

If not, is the transfer covered by an exemption?

If the transfer is not covered by UK adequacy regulations or an appropriate safeguard, then the sender can only make that transfer if it is covered by one of the exceptions set out in Article 49 of the UK GDPR.

Relevant exemptions include (1) where an individual has given their explicit consent to the transfer, (2) the transfer is necessary to perform a contract with the individual, (3) it is necessary to make the transfer for important reasons of public interest and (4) it is necessary to make the transfer to establish a legal claim, to make a legal claim or to defend a legal claim.

International data transfers (into the United Kingdom)

Complexities can also arise where documents relevant to the investigation are located in other jurisdictions (including where data is hosted on cloud-based or group-wide servers physically located overseas). It will often be necessary in such cases to get local law advice as to whether this data may be transferred to the United Kingdom. If the transfer is not permissible, it may be necessary to conduct the review overseas.

Data sharing with authorities

If law enforcement authorities use powers of compulsion to require the production of documents held by a corporate, the corporate should have little difficulty finding a lawful basis for the processing of personal data (and even special category data) in compliance with the production order. As for voluntary disclosure, corporates will need to give careful consideration to the relevant lawful bases under Article 6 of the UK GDPR (for personal data) and Article 9 of the UK GDPR (for special category data) for the disclosure.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

The regulatory framework in England applicable to the interception of employee communications and related monitoring is comprised of an assortment of statutes, regulations and guidance, as set out below:

  • European Convention on Human Rights (ECHR): Article 8(1), as incorporated into English law via the Human Rights Act 1998 (HRA), states that ‘everyone has a right to respect for his private and family life, his home and his correspondence’. However, this right is not absolute. Under Article 8(2), interference is permitted where it is in accordance with the law and is necessary in a democratic society: in the interests of national security, public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals; or for the protection of the rights and freedoms of others. Although only public authorities are expressly subject to the HRA, courts and tribunals must, so far as is possible, interpret all legislation consistently with the HRA and so the protections set out in the ECHR remain relevant to all employers (including those in the private sector).
  • UK GDPR and DPA 2018: As the electronic interception and monitoring of employees’ communications involves the processing of personal data, the interception will be regulated by the UK GDPR and the DPA 2018. This means that employers must establish a legal basis for the processing. As set out in question 24, it is difficult to rely on explicit consent in this context owing to the imbalance in power between employers and employees and, as such, employers tend to rely instead on a ‘legitimate interests’ balancing exercise. If the interception is likely to amount to a high risk to employees’ rights and freedoms or involve certain types of automated or large-scale processing, a data protection impact assessment may be required to assess the necessity and proportionality of the planned data processing. Further, to comply with transparency requirements, employers should generally inform employees of the proposed interception and monitoring (for instance in an employee privacy policy); however, in certain cases, covert monitoring may be permitted (e.g., for the detection of crime). The ICO issued an Employment Practices Code to assist employers to comply with the predecessor to the DPA 2018 (the Data Protection Act 1998). Though this Code has not subsequently been updated in light of the UK GDPR and the DPA 2018, it is still understood to remain indicative of the ICO’s approach.
  • The Investigatory Powers Act 2016 (IPA) and the Investigatory Powers (Interception of Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (IPR): The IPA makes it unlawful in certain circumstances to intercept a communication in the course of its transmission in the United Kingdom, and the IPR set out the circumstances where, in a business context, such interception will be lawful. Specifically, under section 3(1) of the IPA, a person commits an offence if they intentionally intercept in the United Kingdom a communication in the course of its transmission without ‘lawful authority’, regardless of whether the telecommunication system is public or private. Interception for these purposes includes recording telephone conversations and blocking emails from reaching their recipient, but is not understood to include opening emails that have already been opened by the intended recipient. The IPA and IPR set out three main ways in which an employer can legitimately intercept its employees’ communications: (1) with the consent of both the sender and the recipient (e.g. via automated messages that state ‘this call is being recorded’); (2) where the monitoring is necessary to establish the existence of facts, ascertain compliance with regulatory or self-regulatory practices, for internal quality control, to prevent or detect crime, to investigate or detect the unauthorised use of a telecommunication system, or to ensure the effective operation of the telecommunications system; and (3) where the communication is not being recorded, to determine whether communications are relevant to the business or to monitor communications to a confidential anonymous counselling or support helpline.
  • Common law: Under the common law, a duty of trust and confidence is implied into employees’ employment contracts, which employers will need to bear in mind when undertaking monitoring activities (or else risk breach of that employment contract and a potential claim for constructive dismissal).
  • Equality Act 2010: Employers should ensure that they are not unfairly targeting certain protected categories of employees with monitoring measures.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

A search warrant is a written authorisation issued by the court to a police officer or other investigator granting legal authority to enter premises, search for and, in many cases, seize and retain specified material. A dawn raid is an unannounced search of a premises, usually (but not always) made on the basis of a search warrant.

Along with the police, certain authorities (such as the Serious Fraud Office (SFO), the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), HM Revenue and Customs (HMRC), the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA)) have the power to carry out searches or dawn raids during the course of their investigations or, in certain cases, to assess whether or not a formal investigation should be opened.

The fact that documents may contain confidential information does not generally offer any protection from them being reviewed and copied by inspectors. However, even with a search warrant, certain materials are still out of the scope of search and cannot be accessed by authorities without further authorisations. These materials may, depending on the circumstances, include documents that are not relevant to the subject matter of the investigation, confidential journalistic material, medical records, documents subject to banking confidentiality and, with minimal exceptions (such as the exception of materials created for criminal purposes), legally privileged materials.

Should officials exceed their limits in executing a search or the terms of a search warrant, corporates have the option to challenge the law enforcement authority’s actions by way of judicial review, following which the court can order that the information obtained be retained or otherwise be treated as inadmissible.

In October 2020, the Law Commission published a report on search warrants reform following a consultation launched in June 2018. The Commission noted that there are approximately 176 different search warrant provisions across 138 different pieces of legislation and approximately 40,000 search warrants are issued in England every year. The Law Commission noted a number of issues with the current law, including complexity, inconsistency, outdated rules and cost inefficiencies, and made 64 recommendations.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Law enforcement authorities are, as a general rule, not permitted to seize documents subject to a valid claim to legal professional privilege and are generally accompanied during searches or dawn raids by an independent lawyer who is tasked with reviewing any material that a corporate asserts as privileged on-site. If a dispute arises as to whether a document is privileged (for example, as to whether the crime-fraud exemption applies), both parties can agree to quarantine the document (e.g., in a sealed evidence bag) until the privilege status can be determined at a later date (potentially by independent counsel).

Where it is not reasonably practicable during the search to isolate the privileged material from the materials relevant to the investigation, section 54 of the Criminal Justice and Police Act 2001 provides for the law enforcement authority to be able to collect the mixed material, so long as it is then reviewed by independent counsel and any privileged material returned as soon as practicable.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

Investigation stage

As a general rule and subject to the exceptions outlined below, individuals have the qualified right to stay silent during an interview, interrogation or examination, both prior to and after charge. The right, however, is qualified in that a failure to answer questions and disclose relevant information may harm an individual’s defence as adverse inferences can later be drawn from their silence.

By way of an exception to this general rule, certain authorities (such as the SFO, FCA and CMA) are capable of compelling individuals to answer questions, with failure to comply without a reasonable excuse being a criminal offence. Given that such individuals no longer have a right to silence, information gathered by these authorities by compulsion can generally not be used as evidence against the individual (except where the individual is prosecuted for making false or misleading statements in response to the compulsory questioning). As such, authorities tend to use their powers of compulsion to get evidence from witnesses rather than potential suspects, though there still can be advantages to using such powers against the latter (e.g., if the compelled testimony points the authority in the direction of material from another source that can then be collected and used as evidence against the suspect). The specific powers of compulsion include the following:

  • SFO: Once a case has been formally opened by the SFO, if there is ‘good reason to do so for the purposes of investigating the affairs, or any aspect of the affairs, of any person’, under section 2(2) of the Criminal Justice Act 1987 (CJA), the Director of the SFO may compel any person under investigation or whom there is reason to believe has relevant information to answer questions. In relation to overseas bribery and corruption only, the Director of the SFO also has the power to exercise this power for the purposes of enabling a determination whether to start an investigation in the first place (CJA, section 2A).
  • FCA: Under sections 171 to 173 of the FSMA, the FCA may compel the following categories of persons to answer questions where it reasonably considers it to be ‘relevant for the purposes of the investigation’:
    • the person under investigation;
    • those connected to the person under investigation (e.g., a member of their group or a partnership of which the suspect is a member);
    • (where the person under investigation is an FCA investment firm) a service provider to the firm;
    • in relation to certain offences, anyone else who is or may be able to give information that is or may be relevant to the investigation; and
    • in relation to certain offences, anyone else if ‘necessary or expedient for the purposes of the investigation’.
  • CMA: Under section 193(1) of the Enterprise Act 2002, the CMA may require the person under investigation, or any other person who it has reason to believe has relevant information, to answer questions in respect of ‘any matter relevant to the investigation’. Likewise under section 26A of the CA, the CMA may require an individual concerned in the management or control of, or otherwise working for, an undertaking whose activities are being investigated to answer questions with respect to any matter relevant to the investigation.
  • HMRC: Under section 62 of the SOCPA, if it appears to HMRC that there are reasonable grounds for suspecting a relevant offence has been committed, a person has information relating to the investigation of that offence and there are reasonable grounds for believing the information is likely to be of ‘substantial value’ to the investigation, it may give a disclosure notice to that person requiring them to answer questions in respect of any matter relevant to the investigation.

Trial stage

As a general rule, witnesses who are considered competent can be compelled by the court to testify and give evidence in criminal trials and failure to comply with a summons can constitute a contempt of court. By way of exception to this general rule:

  • subject to certain limited statutory exceptions, individuals have the right to refuse to answer questions or produce information that might incriminate them in criminal proceedings or expose them to a penalty (referred to as the ‘privilege against self-incrimination’). This is one of the reasons why, in general, information compelled from individuals by authorities using their statutory powers above is not admissible in evidence against the individual;
  • defendants cannot be compelled to give evidence on their own behalf at their own trial, although the choice to refrain from testifying could lead to adverse inferences being drawn against them; and
  • spouses or civil partners can only be compelled to give evidence for the prosecution against their partner in limited cases involving allegations of assault or sexual offences. However, spouses can be compelled to give evidence on behalf of their partner (or their partner’s co-accused).

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

There is no general duty on employees to disclose wrongdoing, though those exercising managerial or supervisory functions may be subject to an implied duty of fidelity (which might cover within its scope a duty to report the wrongdoing of others) and those in regulated professions may owe professional duties to their regulators to report wrongdoing. There are also certain specific statutory whistleblowing obligations, such as the obligation to notify management of any risk to health and safety.

Whistleblowers benefit from statutory protection under the Employment Rights Act 1996 (ERA) and the Public Interest Disclosure Act 1998 (PIDA).

Under both Acts, the dismissal of an employee will be automatically unfair if the reason, or principal reason, for their dismissal is that they have made a ‘protected disclosure’. Employees are also protected from other detrimental treatment that may result from whistleblowing, such as being passed over for promotion or training opportunities, reduction in pay or harassment. There is no financial cap on the amount of compensation that can be awarded for a dismissal or detriment claim and there is no requirement for a minimum period of continuous service.

To qualify for protection, a whistleblower must disclose information that relates to one of six types of ‘relevant failure’ (as outlined below), they must have a reasonable belief that the information tends to show one of the six relevant failures and they must have a reasonable belief that the disclosure is in the public interest. In addition, the disclosure must qualify as a ‘protected disclosure’, which broadly requires that it is made to the worker’s employer (or certain third parties in specific circumstances). As such, whistleblowing to the police or the media will only qualify in limited cases.

The six ‘relevant failures’ are criminal offences, breaches of any legal obligation, miscarriages of justice, a danger to the health and safety of any individual, damage to the environment and the deliberate concealment of information about any of the above.

In March 2015, the Department for Business, Enterprise and Industrial Strategy published ‘Whistleblowing: Guidance for Employers and Code of Practice’, which sets out best practice for employers, including the development of a culture where staff feel safe to make disclosures.

It is not common practice in the United Kingdom to reward whistleblowers financially (or otherwise) and there is no equivalent to the US model of qui tam lawsuits under the US False Claims Act 1863 (i.e., where a whistleblower stands to recover a percentage of the entire amount recovered in relation to fraud against the government). Both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority have expressed concerns about the effects of providing financial incentives to whistleblowers and feel that providing incentives will neither encourage whistleblowing nor significantly increase integrity and transparency in financial markets.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Employees

Although the starting point for considering an employee’s rights during an internal investigation will be the terms of the employment contract, the staff handbook and applicable workplace policies and procedures, corporates should also bear in mind the requirements of the Advisory, Conciliation and Arbitration Service Code of Practice on Disciplinary and Grievance Procedures (the ACAS Code). Although the ACAS Code is not legally binding and a failure to comply does not automatically make a dismissal unfair, its provisions are taken into account by employment tribunals, which have the power to adjust compensation by up to 25 per cent where there has been an unreasonable failure to comply.

Under the ACAS Code and associated guidance:

  • unless there is a risk that employees being investigated may tamper with evidence or witnesses, employees must be made aware of all allegations against them as soon as the employer opens an investigation. Before doing so, it may be advisable to discuss this with any relevant authorities to address potential concerns that informing witnesses could tamper with their recollections;
  • although employees can be suspended pending the completion of an investigation, this should only be done when necessary (e.g., to protect the investigation, the business, other staff or the person under investigation) and remain under review to ensure that the period of suspension is no longer than necessary. In most cases, suspension should be on full pay and with no loss of benefits. Care should be taken if the employee in question is a whistleblower as there is a risk that their suspicion could be deemed a detriment;
  • employers should follow a fair and lawful process when conducting disciplinary proceedings. At a minimum, there should be an investigation to establish the facts and, if there is a case to answer, a disciplinary hearing. At the meeting, the employee has a statutory right to be accompanied by a colleague or trade union representative and the employee should be allowed to set out their case and answer any allegations that have been made; and
  • employers are expected to allow an employee to appeal against any formal decision made.

Employees who have attained the qualifying period of service have the right not to be unfairly dismissed. For any dismissal, employers must show that the principal reason for the dismissal falls into one of five fair reasons for dismissal under section 98(2) of the ERA.

Directors

If directors are employees, they will benefit from the employee rights outlined above.

If directors are not employees, their rights will be governed by their appointment letter, the corporate’s articles of association and, if relevant, the Companies Act 2006.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

All the rights discussed in question 30 apply to every employee, regardless of whether they did or did not engage in misconduct.

There are no general requirements as to steps that a corporate must take when an employee is implicated or suspected of misconduct, though considerations as to proper corporate governance and compliance with directors’ duties would suggest that the suspicions be investigated and appropriate disciplinary steps taken if warranted.

Specific steps may be required by specific regulators, however, especially if employees carry out regulated activities. For example, those subject to the FCA Senior Managers and Certification Regime regime have to meet FCA regulatory requirements, including being fit and proper to conduct their functions. To comply with its own regulatory obligations, the employer would therefore need to consider whether the allegations are founded and, if so, whether they affect the propriety of the individual continuing to exercise these functions.

If an employee has been found to have engaged in gross misconduct, they can be dismissed immediately so long as the employer follows a fair procedure (see question 30).

32 Can an employee be dismissed for refusing to participate in an internal investigation?

In general, a request from the employer to participate in an internal investigation will be deemed to be a reasonable management instruction and any unreasonable refusal by the employee to engage in such an investigation may constitute misconduct. Whether or not this then allows the employer to dismiss the employee will turn on the wider circumstances, though a clearly unreasonable refusal by the employee to participate may be capable of being one of the five fair reasons for dismissal under section 98(2) of the ERA. Employers should bear in mind the requirements of the ACAS Code, which sets out recommendations as to the procedure to adopt prior to dismissing an employee.

Where directors are not employees, they will still owe duties to the corporate, whether under the Companies Act 2006 (e.g., to promote the success of the company and exercise reasonable care, skill and diligence) or as a result of their fiduciary position, which may be breached in circumstances where they unreasonably refuse to participate in an internal investigation.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

It is common practice, and generally advisable, for corporates to prepare an investigation plan at the outset of an internal investigation. This can help to ensure that the objectives of the investigation are clear and that the investigation does not lose focus, as well as acting as a valuable record of decision-making. A typical investigation plan would cover:

  • the issues requiring investigation and an overview of the circumstances giving rise to the investigation;
  • the purpose of the investigation and an overview of the expected deliverables;
  • immediate steps to be taken to ensure that the conduct underlying the investigation is not continuing (although note the need to avoid tipping off the subject of investigation);
  • how the investigation will be governed, such as who will be responsible for day-to-day management of the investigation, to whom they will report, any trigger after which self-reporting to the authorities should be considered and how changes to the investigation’s scope should be managed;
  • protocols for ensuring that relevant legal professional privilege is maintained throughout the course of the investigation;
  • standardised practice for conducting interviews (such as the form of Upjohn warnings to be given at the beginning of interviews);
  • measures to ensure that none of the individuals involved in the events forming the subject matter of the investigation is involved in the investigation itself;
  • where appropriate, measures to ensure that any whistleblowers maintain anonymity and are kept updated as to the progress of investigations; and
  • protocols regarding document collection and preservation.

Corporates may also wish to consider whether to seek to agree the scope of the proposed investigation with relevant authorities up front. Doing so can build co-operation credit, reduce the risk of later criticism and allow the authorities the opportunity to express preferences regarding the final deliverables. The Financial Conduct Authority (FCA) has noted that, although it will not necessarily want to be involved in discussing the scope of a report in every situation, the potential use and benefit to be derived from the report will be greater if it has had the chance to comment on its proposed scope and purpose. The Serious Fraud Office (SFO) has also expressed concern about the potential for internal investigations to ‘trample over the crime scene’ and involving it in early scoping discussions can help forestall such criticism at a later stage. This early dialogue with authorities can also be used to agree the timing and format of witness interviews, which are often an area of dispute later (especially with regard to privilege).

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

Although there may be circumstances where corporates are required to undertake an internal investigation (e.g., regulatory or professional ethical obligations, directors’ duties or the corporate’s policies and procedures), absent these specific circumstances, there is no general rule requiring corporates to initiate an internal investigation into every issue or allegation that comes to light. Instead, it is open to the corporate to weigh the advantages and disadvantages of conducting an internal investigation and come to a commercial decision. Choosing not to investigate, however, can enable negative inferences to be drawn at a later stage as to the corporate’s culture of compliance or its management and might deny the corporate the opportunity to gain full co-operation credit. In any case, the key steps to take upon the discovery of an issue may include:

  • the preservation of relevant data (such as through issuing document preservation notices to custodians or instructing information technology service providers not to allow data to be destroyed in accordance with usual document retention policies);
  • the identification of appropriately senior and independent individuals to (1) determine whether an investigation might be required and (2) ultimately manage any investigation. This does not mean, however, that the board or senior management of a corporate should necessarily be made aware of every potential issue. Alternatives include briefing the legal or compliance teams, the audit committee or specially constituted management or board subcommittees;
  • consideration of whether there are any immediate notification obligations to law enforcement authorities, insurers, financiers or contractual counterparties, or the market more generally;
  • the suspension of implicated personnel;
  • steps to ensure the relevant misconduct is not continuing;
  • forming an investigation plan, setting out the scope, governance and deliverables required for the investigation;
  • measures to prevent leaks occurring and preparing a plan for when and how public announcements are to be made (in consultation with the corporate’s public relations function if it has one); and
  • the instruction of external counsel.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

A first and immediate step should be to ensure that someone sufficiently senior and independent within the organisation is made aware of the production order or notice (Notice), typically via the corporate’s legal or compliance function, and consideration should be given to the instruction of external legal counsel.

The key steps then to be taken will overlap significantly with those taken for document preservation and the drafting of an investigation plan, but additionally will also include:

  • taking particular care to identify the types and sources of data responsive to the Notice (paper records, emails, messaging application transcripts, audio files where telephone conversations are recorded, data held at employees’ homes or on their personal devices, etc.);
  • considering whether responsive data is held abroad, whether the Notice can compel the production of overseas material and whether and on what terms the transfer of the data to the United Kingdom is permissible;
  • defining custodians and search terms to assist with identifying data responsive to the Notice;
  • where relevant, engaging in discussions with the issuing authority to seek to clarify or narrow the scope of the Notice or to request extensions of time;
  • conducting reviews for privileged material among the proposed production set and either withholding the material from production or seeking to agree with the authorities a limited waiver of privilege; and
  • where responsive documents contain personal data (especially special category data such as information relating to a person’s health or sexual orientation), data protection laws should be considered to ensure that the data can lawfully be transferred to authorities. Although processing personal data necessary to comply with a Notice would generally be permissible under UK data protection laws, it may be appropriate to redact irrelevant personal data that is nevertheless contained in a responsive document.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

Publicly listed companies with securities admitted to trading on relevant regulated markets, such as the Main Market, have obligations under the Market Abuse Regulation (EU) No. 596/2014 and the applicable Listing Rules to disclose ‘inside information’ to the market unless a specified ground for delaying disclosure applies. Inside information is information of a precise nature that has not been made public, relates directly or indirectly to one or more issuers or to one or more financial instruments and, if it were made public, would be likely to have a significant effect on the prices of those financial instruments. Depending on the circumstances, the mere existence of an internal investigation or contact from a law enforcement agency may trigger such disclosure obligations, though this is less common and market disclosures tend to be reserved for the point at which the law enforcement authority itself wishes to announce that it has commenced a criminal investigation into the publicly listed company.

Private companies are not subject to the same obligations to report information publicly. However, they may still be subject to other obligations to report information concerning an internal investigation or contact from law enforcement agencies to third parties. These may include obligations to inform regulators, insurers, banks and contractual counterparties.

37 How are internal investigations viewed by local enforcement bodies in your country?

Law enforcement authorities in England are not opposed to internal investigations provided that they are managed in a way that does not prejudice any criminal or regulatory investigation or prosecution. For example, internal investigations should not be conducted in a way that tips off those under investigation before all relevant data has been collected and secured, or otherwise taints their recollection of events.

In its Corporate Co-operation Guidance published in August 2019, the SFO stated that co-operation includes avoiding prejudice to an investigation by consulting ‘in a timely way with the SFO before interviewing potential witnesses or suspects, taking personnel/HR actions or taking other overt steps’. Likewise, in a 2015 speech, the Joint Head of Bribery and Corruption at the SFO stated ‘we don’t expect you to keep us in the dark while you carry our extensive private investigations . . . we expect you to engage with us early, and to work with us as we investigate, not to rush ahead and, whether intentionally or not, complicate the work we need to do’.

In a speech in the same year, the FCA also underlined the importance of (1) internal investigations being managed in a way that does not ‘trample over the crime scene’ and (2) producing reports that are as useful as possible in the context of subsequent enforcement proceedings. Where a matter is likely to trigger enforcement action, the FCA has requested that firms discuss the scope of their investigations with the FCA as early as possible and agree matters such as the form of report to be produced, the recording and retention of evidence, claims to privilege over the report and the areas to be investigated.

Despite sensitivities concerning internal investigations, the disclosure of a corporate’s investigation report and notes from witness interviews to authorities (and, where required, a corresponding waiver of privilege) is a significant measure in demonstrating co-operation for the purposes of determining whether a deferred prosecution agreement or regulatory settlement would be in the public interest.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

There are several elements of an internal investigation that may attract legal professional privilege, both in the context of legal advice privilege (broadly, communications between a lawyer and that lawyer’s client for the purpose of giving or receiving legal advice or assistance) and litigation privilege (broadly, communications between a client or that client’s lawyer and a third party for the ‘dominant purpose’ of litigation, such litigation being under way or reasonably in contemplation).

For certain types of documents, the application of privilege will not be controversial. For example, communications between an external lawyer and that lawyer’s client containing advice concerning the strategy for an internal investigation will likely be subject to legal advice privilege.

However, the exact scope of the application of legal professional privilege in some areas of internal investigations has been the subject of significant debate in recent years. In SFO v. ENRC [2018] EWCA Civ 2006, the Court of Appeal considered the privileged status of four categories of documents produced as part of an internal investigation by ENRC into bribery and corruption allegations following a whistleblower report:

  • category 1: notes of witness interviews taken by external lawyers;
  • category 2: reports and other materials generated by external forensic accountants as part of ‘books and records’ reviews;
  • category 3: presentation materials produced and used by external lawyers to present findings to ENRC’s internal team and enable them to obtain instructions; and
  • category 4: emails between two senior individuals at ENRC, one of whom was qualified as a lawyer in Switzerland.

Categories 1, 2, and 4 above were deemed by the Court of Appeal to be subject to litigation privilege on the basis that criminal litigation initiated by the Serious Fraud Office (SFO) was reasonably in contemplation. Category 3 had previously been found to be protected by legal advice privilege and did not form part of the appeal. Although ENRC provided important guidance as to the application of privilege in internal investigations, the findings in respect of the above categories of document were highly fact-specific and so advice should be sought on a case-by-case basis.

In WH Holding v. E20 [2018] EWCA Civ 2652, the Court of Appeal held that communications relating to the settlement of a dispute are not covered by litigation privilege. Although not a question dealt with by the Court, it is possible that internal communications relating to a deferred prosecution agreement that do not contain legal advice may not therefore be protected by litigation privilege. As such, corporates should be careful to ensure that such communications are covered instead by legal advice privilege.

In each case, the application of legal professional privilege to a document is a fact-specific question and the mere copying of a lawyer to communications will not necessarily mean that it is privileged.

Measures that corporates can take to help ensure that privilege is maintained so far as possible during an internal investigation may include:

  • ensuring lawyers are involved and consulted early in the investigation and have involvement in each substantive aspect of its conduct;
  • producing standard wording to be added to documents intended to be privileged, such as legally privileged and confidential;
  • introducing protocols relating to privilege into the investigation plan to ensure that those involved understand not to (for example) widely share, paraphrase or quote from legal advice that they receive without first consulting the legal team;
  • implementing discrete digital environments for privileged and non-privileged materials (such as through separate shared drives), and limiting access to privileged materials only to those who require it;
  • documenting when civil or criminal litigation is reasonably in contemplation (with reasons as to why this is the case), to enable a corporate clearly to demonstrate when litigation privilege is applicable; and
  • ensuring that all personnel involved in the investigation are trained as to the application and limitations of legal privilege.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

Where documents are subject to legal professional privilege, clients cannot be compelled to disclose them to third parties (including the court) without their consent.

Legal professional privilege can arise in two principal scenarios:

  • legal advice privilege protects confidential communications between lawyers and their clients for the purpose of giving or receiving legal advice or assistance (in both contentious and non-contentious contexts); and
  • litigation privilege protects confidential communications between a client or that client’s lawyer (on the one hand) and a third party (on the other), or other documents created by or on behalf of the client or the lawyer, which are for the dominant purpose of conducting adversarial litigation that is reasonably in prospect.

In either case, documents that lose their confidentiality (such as by becoming publicly available) can lose their privilege. Privilege is held by the client and its protection persists after the client’s death. When lawyers conduct employee interviews on behalf of their corporate client, it should be made clear to the interviewee as part of an Upjohn warning that any privilege applying to the interview notes belongs to the corporate and not the interviewee.

If the represented party is a large organisation, care must be taken when determining the identity of the client (and, therefore, the relevant party in respect of whom communications may attract privilege). In Three Rivers Council v. Bank of England (No. 5) [2003] EWCA Civ 474, the Court of Appeal ruled that legal advice privilege only protects communications between lawyers and those employees of their corporate client who are tasked with seeking and receiving legal advice on behalf of the corporate. Communications between lawyers and those within the corporate who do not fall within this group may therefore not be covered by legal advice privilege and, as such, may only be privileged to the extent they separately fall under the test for litigation privilege.

There is a notable exception to legal professional privilege known as the crime-fraud exception, which enables documents to be compelled where the underlying legal advice is sought in furtherance of a criminal purpose.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

The default position in England is that legal professional privilege applies to both in-house and external counsel and the test for whether privilege applies remains the same for both categories of lawyer. However, additional complexities can arise when considering the position of in-house lawyers, including the identification of their client and whether, in specific circumstances, they are acting in a legal capacity or a commercial or administrative capacity. Communications made by an in-house lawyer when acting in the latter capacity will not generally be considered privileged.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?

As confirmed by the High Court in PJSC Tatneft v. Bogolyubov [2020] EWHC 3225 (Comm), legal professional privilege extends to communications with foreign counsel, whether or not they are in-house, provided they are acting in the capacity or function of a lawyer. Further, so long as the foreign adviser is acting in the capacity of a lawyer, there is no need to consider whether they are appropriately qualified or regulated as a professional lawyer in their own jurisdiction.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

Authorities are able to dispute whether certain documents should in fact benefit from legal professional privilege (e.g., by reference to the crime-fraud exception). However, once established, legal professional privilege is absolute.

As such, there are no contexts where waiver of privileged material is mandatory or required. In its 2020 guidance on deferred prosecution agreements (DPAs), the SFO states that corporates ‘can neither be compelled to waive privilege, nor penalised for not waiving privilege’ and the Financial Conduct Authority (FCA) Enforcement Guide states that firms are not under any obligation to share the content of legally privileged reports or advice. The Law Society’s position is that any form of pressure to waive legal professional privilege is improper, ‘undermines the absolute nature of the protection’ and may be in breach of Articles 6 and 8 of the European Convention on Human Rights.

Nevertheless, a number of authorities consider waiver of privilege to be a significant factor in assessing co-operation. The DPA Code of Practice provides that co-operation (which is a public interest factor in favour of a DPA) includes disclosing witness accounts and any relevant internal investigation reports, and the SFO has confirmed in its Corporate Co-operation Guidance that ‘[a]n organisation that does not waive privilege and provide witness accounts does not attain the corresponding factor against prosecution’ under the DPA Code of Practice. A review of the DPAs entered into to date by the SFO shows that legal professional privilege was not waived (and yet a DPA was still available) in two of the 11 cases. Likewise, the FCA Enforcement Guide states that ‘a firm’s willingness to volunteer the results of its own investigation, whether protected by legal privilege or otherwise, is welcomed by the FCA and is something the FCA may take into account when deciding what action to take, if any’.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

Under English law, it is possible to grant a limited waiver of privilege, meaning that, in certain circumstances, privileged documents can be disclosed to third parties without losing privilege against the rest of the world.

Specifically, it is possible to share a privileged document and maintain its claim to privilege more widely if it is disclosed only to a limited number of recipients on express terms that it is to remain confidential, is not to be disclosed outside the limited group and privilege is not waived against the rest of the world. Although, in such cases, the privilege holder loses the right to maintain a claim to privilege against the permitted recipients, so long as the document remains confidential, it would generally still be possible to claim privilege against others. Best practice is also to disclose the document subject to an express purpose limitation or restriction on use, and to state that the permitted recipients have no right to waive privilege on behalf of the disclosing party.

As confidentiality is critical to a claim to privilege, should a document lose its confidentiality (e.g., by being referred to in open court), it will lose its claim to privilege.

Although there may be clear advantages for a corporate to seek to disclose privileged material to authorities subject to such a limited waiver of privilege, authorities may not agree to limited waiver terms that prevent them using the documents for their statutory functions or for subsequent individual prosecutions.

Notwithstanding the recognition of limited waiver of privilege under English law, care should be taken to consider whether other relevant jurisdictions’ laws also provide for such recognition; otherwise, the disclosure of the document in England may amount to wholesale waiver of privilege in the document in that other jurisdiction.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

English law is jurisdiction-neutral in this regard and, therefore, if a document is considered privileged under English law and it has been disclosed subject to a limited waiver of privilege under English law (see question 40), it is irrelevant whether the disclosure took place in or out of the jurisdiction.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Under English law, common interest privilege arises where a person voluntarily discloses a privileged document to a third party that has a common interest in the subject matter of the privileged document. Parties with such a common interest may, depending on the circumstances, include insurers, co-defendants or other companies within the corporate’s group.

Where it applies, common interest privilege allows both the disclosing party and the receiving party to assert privilege in the document in their own rights as against third parties. However, the right to waive privilege in the document will remain exclusively with the original privilege holder.

The existence of a common interest does not in itself create privilege; it instead merely allows a party to share a document that is already privileged with a third party who has a common interest without losing that privilege. As such, for common interest privilege to apply, the material in question must satisfy the test for either legal advice privilege or litigation privilege. Likewise, the existence of a common interest in a privileged document does not in itself grant the third party with the common interest the right to demand access to the privileged material; disclosure by the privilege holder remains voluntary.

It is common practice for parties with a common interest to enter into a written common interest privilege agreement setting out the specific terms governing the sharing of privileged material between them.

If the third party does not have a common interest, the document may still be shared with that party without losing privilege if shared subject to a limited waiver of privilege (see question 43).

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Although legal advice privilege protects communications between a lawyer and a client, litigation privilege must apply for communications between a lawyer and a third party to be privileged. This is particularly relevant in the context of notes of employee interviews where those employees fall outside the narrowly defined set of individuals at the corporate that are the client (i.e., authorised to instruct and receive advice from the lawyers). As such employees are effectively classified as third parties, legal advice privilege will generally not apply to their interview notes and, therefore, establishing a claim to litigation privilege will be key.

For a document to be covered by litigation privilege, it must be either (1) a communication between a client or that client’s lawyer (on the one hand) and a third party (on the other), or (2) a document created by or on behalf of the client or lawyer, in either case for the dominant purpose of litigation. The litigation must be under way or reasonably in prospect and adversarial and the dominant purpose must have been either to obtain information or advice in connection with the litigation, or to conduct or assist in the conduct of it.

In recent years, there had been some uncertainty as to the point at which litigation may be said to be reasonably in prospect in the context of a criminal investigation. In SFO v. ENRC [2017] EWHC 1017 (QB), at first instance the judge found that, for criminal proceedings to be in reasonable contemplation, the relevant party must have uncovered some evidence of wrongdoing so that the evidential stage of the ‘full code test’ for bringing a criminal prosecution would be met (see question 66). This would generally only be the case relatively late in an investigation. However, the Court of Appeal rejected this, finding that, while not every manifestation of concern by an authority is likely to be regarded as adversarial, where the authority makes it clear that there is a prosect of a criminal prosecution and legal advisers are engaged, there are clear grounds for contending that a criminal prosecution is in reasonable contemplation. As such, it is generally understood that there is now no distinction as to the test for when litigation privilege applies between criminal and civil matters.

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

Yes, and interviews of witnesses can be an integral part of an internal investigation. However, care should be taken to ensure that the interviews of witnesses and suspects do not prejudice any potential subsequent law enforcement authority or regulatory investigations.

Both the Serious Fraud Office (SFO) and the Financial Conduct Authority (FCA) have stated that in many cases they would prefer to be consulted before potential witnesses or suspects are interviewed (or human resources-related actions or other overt steps are taken in relation to them).

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

A corporate may be able to claim privilege over notes of witness interviews or investigation reports; however, this is a fact-specific question depending on the circumstances of the interview or report.

Notes of witness interviews will only attract legal advice privilege if they amount to a communication between a lawyer and a client for the purpose of seeking or receiving legal advice or assistance. The definition of ‘client’ is restrictive for these purposes and will generally not include employees that fall outside the narrow group of individuals tasked with seeking and receiving legal advice on behalf of the corporate. Notes of interviews with such employees will generally only be privileged, therefore, if they can fall within the test for litigation privilege, which requires that litigation be reasonably in prospect.

Investigation reports produced by lawyers are more likely to be covered by legal advice privilege, especially where they go beyond mere factual summaries and contain legal advice.

Authorities may nevertheless object to corporates being too bold or creative in their attempts to claim privilege. The FCA has previously stated that the production of lawyers-only notes of interviews (and not recordings or other notes) is a form of ‘gaming’ the process to shroud the output of an investigation in privilege.

Finally, care should be taken where interview notes and other sensitive materials are being prepared by auditors or other non-legally qualified personnel as they are unlikely to be privileged.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

There are no strict legal rules or requirements as to how interviews should be conducted with current or former employees, though a corporate should bear in mind the requirements of applicable employment law (see question 30) and the general obligation not to pervert the course of justice, which could include conducting interviews in a way that taints the recollection or answers of interviewees.

One way to protect corporates from such accusations would be for employers to pay for the interviewee to have an independent lawyer present for the interview.

Although not strictly a legal requirement, it is also good practice for interviewers to give employees an Upjohn warning before the interview commences, stating that:

  • the interviewer represents the corporate and not the employee;
  • to the extent that the note of the interview is privileged, the privilege belongs solely to the corporate and not the employee; and
  • the corporate may choose to waive this privilege and disclose a note of the interview to a third party without consulting the employee.

Such a warning helps ensure clarity for interviewees and can prevent later claims by employees that they believed they had control over the use and disclosure of the interview note.

In addition, interviewees should generally be told whether they are implicated in any wrongdoing and that they should not discuss the contents of the interview with anyone else to avoid affecting the integrity of the process.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

Internal interviews can take place remotely or in person, though best practice is face-to-face. Interviewees increasingly have legal representation at interviews, especially if they are a suspect or there is a heightened risk of self-incrimination.

Documents can be put to witnesses, though best practice is to limit the documents shown to witnesses to those they would have been copied into or seen at the time. This is in line with the SFO’s guidance on co-operation and will help to limit later criticism that witnesses’ recollections have been tainted. A record should always be kept of the documents shown to interviewees during interviews and, depending on the circumstances, a copy of the note may be given to the interviewee for them to agree so as to limit the scope for challenges to the note’s accuracy at a later date. A verbatim record of the interview could be kept by way of an audio recording, although the interviewee should be informed of this (which could make the interviewee more uncomfortable and affect their answers). Further, if an interview is recorded, it may be harder to assert that the recording is subject to legal professional privilege.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

Whether a reporting obligation arises turns partly on the regulatory status of the corporate or the individuals involved, the expectations of the relevant authorities and the nature of the issue itself.

Financial Conduct Authority and Prudential Regulation Authority

Firms regulated by the Financial Conduct Authority (FCA) are under a duty to deal with their regulators in an open and co-operative way and must disclose appropriately anything relating to them of which the FCA would reasonably expect notice. Although the FCA accepts that the period of notice to be given will depend on the circumstances, it expects a firm to act reasonably and discuss relevant matters with it at an early stage, before making any internal or external commitments, and in certain cases the notification obligation can be immediate. Dual-regulated firms owe similar obligations to the Prudential Regulation Authority.

FCA-authorised firms arranging or executing transactions in certain financial instruments are also required to report suspicious transactions to the FCA without delay by way of a suspicious transaction report (FCA Handbook, SUP 15.10.2).

Failure to comply with these reporting obligations may lead to FCA enforcement action.

Money laundering and terrorist financing

Obligations to notify may also arise under applicable anti-money laundering and anti-terrorism rules. Persons working in the regulated sector (e.g., the financial sector, auditors, tax advisers, casinos, cryptoasset exchanges or lawyers in relation to certain transactions, such as trusts, real property transactions and mergers and acquisitions activity, among others) must, subject to certain limited exceptions, submit a suspicious activity report (SAR) (either directly or through their firm’s nominated officer) to the National Crime Agency in respect of information that comes to them in the course of their business if they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing, or even just attempting the latter. Failure to submit a SAR in this regard may amount to a criminal offence.

Even if a person does not work in the regulated sector, if they know or suspect that property they are dealing with constitutes or represents a person’s benefit from criminal conduct, they are at risk of committing a money laundering offence unless they make an authorised disclosure and receive consent to continue with the activity (referred to as a defence against money laundering).

Corporates will also need to consider whether they are required to make any market disclosures. For corporates with shares listed on relevant exchanges (e.g., the Main Market or the Alternative Investment Market), this may arise if the underlying conduct or the findings of the internal investigation constitute inside information, in which case the issuer would be under a duty to inform the public as soon as possible unless an exception applies (i.e., one of the specified grounds for delaying disclosure).

Other regulated industries

Other notification obligations may also arise under the rules of (1) professional bodies (e.g., firms of solicitors are under an obligation to report potentially serious breaches of applicable regulatory requirements to the Solicitors Regulation Authority), (2) licensing authorities (e.g., gambling operators licensed by the Gambling Commission of Great Britain are subject to notification obligations under the Licence Conditions and Codes of Practice), or (3) under data privacy legislation (e.g., under Article 33(1) of the retained version of the EU General Data Protection Regulation, data controllers are under a duty to notify the Information Commissioner’s Office (ICO) of personal data breaches ‘without undue delay, and where feasible, not later than 72 hours after having become aware of it’).

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

Even where there is no legal obligation to notify authorities of any suspected wrongdoing, it may still be in a corporate’s self-interest to make a voluntary self-report to the relevant law enforcement authorities as it may improve the corporate’s prospects of avoiding criminal prosecution or reduce the size of a financial penalty.

For example, although there is no obligation to notify the Serious Fraud Office (SFO) or HM Revenue and Customs (HMRC) of suspected criminal conduct, making a voluntary self-report to these bodies ‘within a reasonable time of the offending coming to light’ is listed as an example of co-operation (which is a public interest factor against prosecution and in favour of resolution by a deferred prosecution agreement (DPA) or via an asset recovery power). In addition, under the sentencing guidelines for corporate offenders relating to fraud, bribery and money laundering offences, co-operation is a factor affecting the discount to be applied to a potential financial penalty, with a discount of 16.66 per cent (additional to the general 33.33 per cent discount for the equivalent of a guilty plea) being granted in a number of DPAs in recognition of ‘extraordinary co-operation’. The reference to a reasonable time frame allows scope for corporates to conduct a preliminary internal investigation prior to self-reporting, with the SFO having acknowledged that companies have a duty to their shareholders to investigate, assess and verify allegations or suspicions, so that they understand what they may be reporting before they report it.

Balanced against this are the risks of a voluntary self-report, including that the self-report may bring issues to the attention of the authorities that they might otherwise never become aware of and that the scope of the authorities’ focus may widen beyond the initial disclosure. However, corporates choosing to keep the matter confidential and to remediate in private without notifying the authorities should bear in mind the risk that, should the issue later come to the attention of the authorities, negative inferences may be drawn (e.g., that the initial decision not to make a self-report was a cover-up).

Similar considerations would apply to self-reports made to authorities in other jurisdictions, though it would be best to take local legal advice on the risks and rewards of doing so and to consider the possible interplay between the investigations in multiple jurisdictions (e.g., whether documents shared with one authority would then be disclosed to another).

53 What are the practical steps needed to self-report to law enforcement in your country?

An initial question that arises is whether and how far to investigate an issue prior to making a self-report. In certain cases, it may be prudent promptly to self-report a potential issue that is likely to be of interest to authorities and to seek to agree the scope of any subsequent internal investigation. Likewise, in certain cases, immediate disclosure may be in effect required by regulatory obligations or as a result of money laundering legislation. In other situations, a corporate may first investigate and then present its findings to authorities. In the latter case, authorities will expect a report to be made within a reasonable time of the offending coming to light, and so, investigations should last only as long as necessary for corporates to understand the scope of potential wrongdoing being reported. Further, prior to making a self-report, corporates should understand and have reviewed the proposed disclosures so as to ensure that they do not inadvertently waive privilege.

As for making the report, the intelligence unit of the SFO has a dedicated online form for self-reporting that is appropriate for cases of serious or complex fraud, bribery or corruption. Should the SFO consider an online report to be of interest, it may then request hard-copy evidence. HMRC has an online form that can be used by corporates to self-report a failure to prevent the facilitation of tax evasion and the ICO has an online portal as well as a dedicated telephone number for reporting personal data breaches. For other authorities, there is no set method prescribed by law to make a report, although they may have dedicated telephone numbers or correspondence addresses. Writing a letter to the appropriate department of a law enforcement authority will often be a valid means of self-reporting.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

In many cases, it is best practice to engage with authorities early upon receipt of a production order or notice (Notice). This will enable corporates to clarify the scope of vague requests or ask for extensions to deadlines. It may also be possible to agree limits to the scope of review, which could include selecting relevant data custodians, data sources and search terms to be applied to such data.

It will not always be possible to negotiate Notices in this way. Search warrants (e.g., in the context of dawn raids) are designed to be exercised quickly and without protracted negotiations. In every case, however, a corporate can and should withhold privileged material from disclosure (or, if such materials are to be disclosed, disclosure should only be on the basis of a limited waiver of privilege agreed with the authority).

If a law enforcement authority disputes a corporate’s assertion of privilege over a document, independent counsel may be appointed to review the disputed material and make a preliminary determination as to whether it is privileged. The instructions to counsel in this regard should be pre-agreed with the authorities and will not generally relate to whether or not the document is responsive to the Notice. Counsel may also be asked to opine on whether material that appears to be privileged falls within the crime-fraud exception, thus rendering it disclosable. Corporates should carefully consider any opinion given in this regard and challenge it should they consider that counsel did not have enough information to make a determination on this basis. If an authority does not consent to an independent counsel’s appointment and continues to push for the disclosure of the material, the documents can be referred to the court to make a ruling or the corporate can launch a judicial review.

After charges are brought against a corporate, it remains open to it to make representations to law authorities as to why the prosecution is misconceived on the facts or in law, or it would not be in the public interest, with a view to convincing the authority to discontinue the prosecution.

55 Are ongoing authority investigations subject to challenge before the courts?

As law enforcement agencies are public authorities, their actions (including their decisions to investigate, charge or refrain from issuing a ‘no further action’ letter) may be susceptible to challenge by way of judicial review.

The courts can make a range of orders in judicial review cases, such as mandatory orders requiring the authority to take an action, prohibitory orders that prevent the authority from doing something and even quashing orders that set aside an authority’s decision entirely. In R (on the application of Soma Oil and Gas Ltd) v. Director of the SFO [2016] EWHC 2471 (Admin), a corporate subject to a long-running corruption investigation by the Serious Fraud Office (SFO) commenced judicial review proceedings against the agency, seeking an order requiring the SFO to cease the investigation. Although the application was unsuccessful (with the High Court noting that the corporate faced a ‘very high hurdle indeed’), the SFO closed its investigation shortly afterwards, effectively achieving the result that the company sought.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

A corporate’s obligations of disclosure under a production order or notice (Notice) are not affected by similar Notices made in other countries. However, corporates should try to ensure that their approaches to the parallel investigations are applied consistently.

Corporates may benefit from notifying the domestic authorities of the parallel Notices and seeking to negotiate similar, consistent terms of reference. However, domestic authorities are under no obligation to agree to this and may be unlikely to do so where the scope of the investigations are materially different. Nevertheless, some aspects of the parallel investigations may be amenable to agreement, such as a consistent document preservation plan so as to prevent costly repetition of work. In some instances, however, it may not be desirable to alert the authorities about the existence of a parallel overseas investigation (to the extent they are not already aware).

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?

Until recently, the territorial scope of the SFO’s power to compel the production of documents (under section 2(3) of the Criminal Justice Act 1987 (CJA) and, by extension, section 2A of the CJA) was unclear, both in relation to documents held by a UK corporate operating overseas (including on an overseas server) and to a foreign corporate that has no business presence in the United Kingdom.

However, the position was clarified by the Supreme Court in February 2021 in R (on the application of KBR, Inc) v. the Director of the SFO [2021] UKSC 2, which found that, based on the presumption against extraterritoriality under English law, the lack of express wording as to extraterritorial effect under section 2(3) of the CJA means that it is to be interpreted restrictively. As such, the SFO cannot compel foreign corporates with no presence in the jurisdiction (i.e., a registered office, fixed place of business or business activities) to produce documents held abroad. However, the SFO can compel corporates within the jurisdiction to produce documents held overseas that are within their possession or control. As such, while practically it may be unable to compel a UK-based subsidiary to produce documents held by its overseas parent if that parent has no presence in the United Kingdom, the SFO may be able to compel a UK-based parent to transfer to the United Kingdom and produce documents held by a foreign subsidiary that is found to be under its control. If the local law in the overseas jurisdiction prevents the international transfer (e.g., because of a blocking statute or data privacy law), this may be a reasonable excuse for non-compliance with the section 2(3) notice.

Similar considerations will apply to other authorities when exercising their powers of compulsion unless the relevant powers are expressly stated by statute to have extraterritorial effect.

If an authority is unable to compel the production of material held overseas, it may still be able to request the material from overseas authorities via mutual legal assistance (MLA) channels (see question 58). Authorities may also consider the voluntary production of such material by the corporate to be a mark of co-operation, allowing a corporate to build credit relevant to whether it may be offered a deferred prosecution agreement or a reduction in any financial penalty.

In October 2019, the United Kingdom and the United States signed a bilateral agreement for accessing electronic data in cases of serious crime (known as the Data Access Agreement). The Agreement, which came into force in October 2022, permits UK law enforcement agencies to apply to English courts to obtain electronic data directly from US communications service providers, without the need for the involvement of US authorities or an MLA treaty.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

Owing to the international nature of corporate investigations and criminal conduct, it is increasingly common for law enforcement authorities across multiple jurisdictions to co-operate with one another and share evidence. MLA is the primary method facilitating this, allowing states to assist one another in the investigation and prosecution of criminal offences. The United Kingdom is party to a number of bilateral and multilateral mutual legal assistance treaties (MLATs); however, the United Kingdom can provide assistance to any jurisdiction (even if there is no formal MLAT in place).

The Crime (International Cooperation) Act 2003 (CICA) sets out the primary framework governing MLA in criminal cases, covering the following activities both in, and on behalf of, the United Kingdom: the service of process; freezing, obtaining and transmitting evidence; search and seizure; the temporary transfer of prisoners; and audiovisual links for court hearings. As a general rule, the United Kingdom is now required to provide assistance that complies with the procedural requirements of CICA and there is no requirement that the requesting state be in a position to provide the same level of assistance to the United Kingdom. As a practical matter, requests are made by formal international letters of request (ILORs), also known as letters rogatory. If the United Kingdom is making the request, evidence obtained may only be used for the purpose for which it was requested (unless the consent of the overseas authority has been obtained) and is subject to the same rules on admissibility as evidence collected in the United Kingdom.

The SFO is able to use its powers of compulsion in responding to an ILOR (e.g., its power to compel an individual to answer questions under section 2(2) of the CJA). However, the requesting authority must provide the United Kingdom with a written undertaking that any evidence so gathered will not be used against that person in a prosecution.

In addition to formal MLA, there is the option of more informal police-to-police co-operation under which law enforcement authorities can ask for the voluntary assistance of their counterparts in other states. As this does not involve a formal MLA request, it can be a quicker and easier process, though whether such material is capable of being admissible as evidence will turn on the rules of the requesting jurisdiction. Often, overseas authorities may first request intelligence informally before then making a formal MLA request, using the former to guide the detail of the latter. There is no obligation on law enforcement authorities, however, to comply with informal requests.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

In general terms, law enforcement authorities will keep non-public information received during an investigation confidential. However, third parties with a genuine interest in the proceedings may request documentation from the investigating authority or the prosecutors, for example to assist with concurrent civil litigation. The authorities will only disclose information if it is in the public interest to do so and in each case the owner of the information (such as a corporate subject to a production order) must be given notice and, if they do not consent to the disclosure, the opportunity to object to the disclosure (i.e., by making representations) unless doing so would be inappropriate or impracticable (R (on the application of Kent Pharmaceuticals Ltd) v. SFO [2005] 1 W.L.R. 1302).

Where production is sought of a witness statement, the witness’s consent for disclosure generally implies consent for disclosure of any exhibits; however, separate consent may be required when exhibits are sensitive. Furthermore, the House of Lords in Conway v. Rimmer (1968) 1 All ER 874 set out a general rule that disclosure in a civil case of anything that might be material in a pending prosecution would be inappropriate (although once the criminal prosecution has been disposed of, the need for confidentiality falls away).

Certain categories of documentation obtained during investigations are subject to additional limits on disclosure. Material seized by police cannot be disclosed to third parties unless the owner has consented to it or the police officer has been served with a witness summons. In the latter case, the owner of the information must still be granted an opportunity to object to disclosure. Additionally, section 3 of the CJA prevents the SFO from disclosing certain information obtained during the course of an investigation except to certain government bodies and only for specified purposes.

When disclosure is made by law enforcement authorities to third parties, it will generally be on the basis that the recipient of the information can only use it for the purposes of the proceedings in question. Third parties may be required to sign a formal undertaking in this regard. In civil proceedings, there is an implied undertaking that parties receiving documents as part of the disclosure process will not use them for a collateral purpose except in certain circumstances.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

Generally, the corporate should seek to avoid complying with the request by explaining to the requesting authority the reasons for non-compliance and suggesting that they seek documents via other means, such as pursuant to any MLAT. However, legal advice should be sought before refusing to comply, in whole or in part, as failure to do so may constitute a criminal offence or a contempt of court.

Depending on the foreign laws in question, it may be that responsive documents can be disclosed with redactions applied to problematic information. This would at least help to demonstrate that the corporate is co-operating with the authorities to the greatest extent possible.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

A blocking statute in this context is a statute that criminalises or otherwise prevents the disclosure of certain categories of material outside the jurisdiction unless specific gateways apply. A number of European jurisdictions (including France) have developed such statutes with a view to curbing the perceived encroachment of US litigation, including its wide discovery rules, on their domestic businesses.

Although the United Kingdom does not have any such legislation, if the disclosure is being made pursuant to an MLAT, it will be necessary to comply with the procedural requirements of CICA (see question 58) and it will be necessary to bear in mind the requirements of UK data protection laws, including the retained version of the EU General Data Protection Regulation and the Data Protection Act 2018 (see question 24).

By way of a limited exception, section 2 of the Protection of Trading Interests Act 1980 provides the Secretary of State for Business, Enterprise and Industrial Strategy with the power to prevent a UK person from complying with foreign disclosure obligations for a number of reasons, such as where the disclosure would be prejudicial to the sovereignty or national security of the United Kingdom.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

Corporates facing an investigation by a law enforcement authority with the power to compel the production of material often have the option of producing material voluntarily instead. This can allow the corporate to gain co-operation credit (which is relevant to whether a DPA may be available and whether a discount may be applied to any potential financial penalty), to gain the goodwill of the law enforcement authority and, at times, to have an input into the direction of the external investigation.

In certain cases, however, there may be advantages to only disclosing documents subject to a compulsory order, including to comply with data protection legislation (should the data set, for instance, include special category data), if the data set contains documents belonging to third parties (which the corporate itself does not have the authority voluntarily to disclose), or if the relevant authorities are subject to specific statutory requirements to maintain the confidentiality of material received under powers of compulsion (see question 59).

If law enforcement authorities are unable to compel the production of materials (whether because they are privileged or located outside the jurisdiction – see questions 42 and 57), the only option would be voluntary production. In such cases, the corporate can seek to limit the use to which the documents can be put (e.g., via a purpose limitation or a limited waiver of privilege), though authorities will usually be keen to ensure they can use any such documents for their statutory functions and potentially for subsequent prosecutions.

Third parties may apply for a court order compelling law enforcement authorities to produce documents that were previously disclosed to them during an investigation. However, the decision whether to grant such an order lies in the discretion of the court, which will conduct a balancing exercise between the public interest in ensuring that the law enforcement authority is able to conduct a proper investigation on a confidential basis and the public interest that the administration of justice should not be frustrated (Harlequin Property v. Wilkins Kennedy [2015] EWHC 3050 (TCC)).

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Individuals can be sentenced to imprisonment or fines (or both), as well as confiscation of assets and orders to perform community service. They may also be disqualified from being a director for up to 15 years and details of this disqualification may be published online.

Corporates can also be subject to fines and compensation orders, and conviction for certain offences, such as bribery, drug trafficking, money laundering or terrorism, carries with it a mandatory debarment from public tendering for up to five years. Additionally, an array of conditions may be imposed on corporates as part of a deferred prosecution agreement (DPA). These are listed in Schedule 17 of the Crown and Courts Act 2013, and include donations to charity, future co-operation with investigations, payment of prosecutor costs and the introduction or amendment of compliance programmes.

Civil or regulatory penalties may also be imposed on individuals and corporates for certain breaches. For example, the Financial Conduct Authority can impose fines or strip authorised firms and individuals of their permissions to perform regulated activities, and the Office of Financial Sanctions Implementation can impose monetary penalties or publish details of breaches online (even where no monetary penalty is imposed). In cases of tax evasion of more than £25,000, HM Revenue and Customs may publish the names of defaults in a public register.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

Under the Public Contracts Regulations 2015 (the PCRs), corporates must be excluded from participating in public procurement exercises for up to five years if convicted of certain serious offences, such as those relating to bribery (save for the corporate offence of failing to prevent bribery), terrorism or money laundering. Additionally, contracting authorities have discretion under the PCRs to debar corporates for up to three years for a number of reasons, such as non-payment of taxes or grave professional misconduct (which may include a conviction for failure to prevent bribery).

Whether a settlement in another country will trigger a mandatory or discretionary debarment depends in large part on the nature of a settlement. Under English law, a DPA in relation to an offence in the United Kingdom is not tantamount to a conviction and so does not constitute grounds on which mandatory or discretionary debarment can be imposed. Where there is ambiguity in this regard and a settlement abroad could trigger discretionary disbarment, corporates could seek to make representations to authorities to convince them not to exercise their discretion to debar.

The PCRs permit companies to recover their eligibility for public procurements if they are able to demonstrate evidence of self-cleaning, such as the payment of a financial penalty and the implementation of compliance enhancements.

65 What do the authorities in your country take into account when fixing penalties?

Following conviction, English courts fix penalties by reference to sentencing guidelines published by the Sentencing Council. These guidelines have specific sections for fraud, bribery and money laundering offences. Factors that are relevant to the level of sentence imposed include:

  • the defendant’s level of culpability, which is influenced by factors such as the involvement or coercion of others, the level of planning behind the offence and the offence being motivated by substantial gains;
  • the harm caused by the defendant’s actions, which is measured in terms of factors including environmental impact, the detrimental effects or losses suffered by others or the undermining of the proper function of government (in the case of bribery and corruption offences);
  • any reasons (such as assistance to the prosecution) that may justify a lower sentence (pursuant to section 73 of the Serious Organised Crime and Police Act 2005);
  • the stage of guilty plea (if applicable);
  • the financial circumstances of the corporate;
  • whether the total sentence (when taking into account other offending) is just and proportionate to the overall offending behaviour; and
  • any confiscation, compensation and ancillary orders that are appropriate to impose.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Non-prosecution agreements

Non-prosecution agreements are not available in England. As part of the consultation that eventually led to the introduction of deferred prosecution agreements (DPAs), the Ministry of Justice concluded that, despite the effectiveness of the concept in the United States, ‘the lack of judicial oversight is likely to make it unsuitable for the constitutional arrangements and legal traditions in England and Wales’.

English authorities can determine, however, that the public interest is not in favour of prosecution based on what is known as the full code test under the Code for Crown Prosecutors. This test dictates that prosecutors must only start or continue a prosecution when the case has passed both the evidential and public interest stages. In relation to the latter, the prosecutor must conduct a balancing exercise to consider whether the public interest factors tending in favour of prosecution outweigh those tending against. The Code for Crown Prosecutors states: ‘In some cases the prosecutor may be satisfied that the public interest can be properly served by offering the offender the opportunity to have the matter dealt with by an out-of-court disposal rather than bringing a prosecution.’

DPAs

DPAs were introduced by Schedule 17 to the Crime and Courts Act 2013 and have been available since February 2014.

A DPA is a discretionary tool available only to designated prosecutors (at present, only the Director of the Serious Fraud Office (SFO) and the Director of Public Prosecutions (DPP)) under which the prosecutor and a corporate may enter into an agreement whereby the corporate agrees to a course of conduct for a specified term and the prosecutor agrees that prosecution will be deferred. At the conclusion of this term, if the corporate has complied with all its obligations, the matter will then be concluded without prosecution. DPAs are only available for specified offences, largely relating to bribery, fraud and dishonesty. They are not available for individuals.

To invite a corporate to enter into negotiations for a DPA, the prosecutor must be satisfied that (1) either the evidential stage of the full code test is satisfied or there is a reasonable suspicion based on some admissible evidence that the corporate has committed the offence (see question 66), (2) the full extent of the alleged offending has been uncovered, and (3) the public interest would likely be met by a DPA. The DPA Code of Practice sets out a non-exclusive list of such public interest factors, including whether the corporate has a history of similar conduct, whether there was a self-report, whether a significant level of harm was caused to the victims, the level of co-operation, the extent of remediation and whether the conviction would have disproportionate consequences for the corporate.

During negotiations, the prosecutor and the corporate will seek to agree the conduct that will be covered by the DPA, the offences charged, the financial penalty, any additional remediation steps and the language of the statement of facts, which will be a public document setting out the conduct relevant to the DPA.

Should DPA negotiations be successful and both sides reach agreement on the draft DPA terms and the related statement of facts, an application is to be made to the Crown Court for a preliminary hearing (heard in private) and a declaration that entering into the DPA is likely to be in the interests of justice and the proposed terms are fair, reasonable and proportionate. If the court does not provide this declaration, it is open to the parties to return to negotiation and attempt to deal with any issues identified. If the court does grant the declaration, the parties will then apply to the court for a further (public) hearing, at which the court will be asked to declare that the DPA is in the interests of justice and the terms are fair, reasonable and proportionate.

If a corporate has engaged in criminal conduct, the advantages of a DPA can be clear, given that it will result in the corporate avoiding prosecution and conviction. However, even when the offending is less clear or debatable, a corporate may still prefer to secure a DPA in circumstances where (1) the consequences of a prosecution or conviction (no matter how remote) would be unacceptable to the corporate (e.g., because it would result in the loss of a business-critical licence or debarment from public sector procurement), (2) the corporate wishes to avoid the time, expense and negative publicity of a prosecution or (3) a DPA could result in a lower financial penalty than at trial (with discounts for DPAs generally being set at between 33 and 50 per cent). Balancing this, the consensual nature of agreeing a DPA will often require a corporate to accept certain conduct or arguments that it may otherwise have defended, had it been prosecuted, and in certain cases may involve a higher financial penalty (e.g., if agreeing this is the price for securing a DPA).

DPAs have been popular since their introduction, with 11 having been approved by the courts to date.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Where charges against connected individuals have been brought or are contemplated, there is a possibility that publication of the full DPA, statement of facts or even name of the corporate may pose a risk of prejudicing the individual prosecutions. In such cases, it is common for the statement of facts (and, if relevant, sections of the DPA itself) to be anonymised or withheld from publication altogether until conclusion of the individual prosecutions. An application for reporting restrictions under section 4(2) of the Contempt of Court Act 1981 may also be considered.

Consideration may also need to be given to whether publication of individuals’ names is in compliance with the UK data protection regime and the European Convention on Human Rights.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Corporates will always benefit from seeking legal counsel, assessing the strength of the evidence of wrongdoing and weighing up the respective advantages and disadvantages of pursuing the settlement versus a prosecution.

Corporates should also consider whether the materials disclosed to prosecutors cover the entirety of the wrongdoing (especially where materials have been properly withheld on the basis of privilege, but in doing so, the corporate may have provided an incomplete or misleading picture of the conduct). Ensuring full disclosure not only secures a more transparent, consensual process but helps to achieve additional finality versus the risk that the incomplete or misleading information comes out in the future and the settlement is withdrawn.

In relation to DPAs specifically, both the corporate and its legal advisers are expected to provide warranties that the material provided to the prosecutor during the DPA negotiations and on which the DPA is based does not knowingly contain ‘inaccurate, misleading or incomplete information’. In addition, as the scope of protection of a DPA is generally limited to conduct described in the draft indictment appended to the DPA, it can be in a corporate’s interests to disclose additional conduct and benefit from the finality of it being included in the DPA.

As regards the respective advantages and disadvantages of the settlement itself, factors to consider include the likelihood of conviction, the penalties following conviction versus a settlement, the time frame, the overall cost, the potential reputational damage and any collateral consequences of charge or conviction, including possible loss of licences and debarment. Consideration should also be given to the effect that settlement may have on civil litigation risk, any ongoing investigations in other jurisdictions, insurance arrangements, banking covenants, contractual termination rights, plans to list or issue shares and the likelihood that individuals may be prosecuted. In the DPA context, corporates should carefully consider the wording of the agreed statement of facts, given that ultimately it will be a public document and treated as a formal admission by the corporate in any criminal proceedings brought against it in the United Kingdom for the alleged offences set out in the indictment.

Finally, where there are concurrent investigations in other jurisdictions, corporates may also wish to consider whether it is possible to coordinate a global resolution of multiple investigations simultaneously (as, for instance, was achieved in the DPAs relating to Rolls-Royce and Airbus).

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

The appointment of an external compliance monitor at an offending corporate’s expense is one of the measures that may be imposed as part of a DPA and the mechanics for this are detailed in the DPA Code of Practice.

In its 2020 guidance on evaluating compliance programmes, the SFO confirmed that the appointment of a monitor at the corporate’s expense is ‘likely’, although it remains to be seen how prevalent this measure will be. A corporate monitor was appointed as part of the 2020 DPA between the SFO and G4S Care and Justice Services (UK) Limited, and in Airbus’s global settlement later that year, a monitor was appointed as part of the French limb to the settlement.

It is not always deemed necessary to appoint a monitor: for example, in the 2021 DPA involving Amec Foster Wheeler Energy Limited, the SFO determined that a monitor was not necessary in light of the substantial remediation exercise and compliance programme improvements implemented by the company’s parent.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Civil proceedings are possible in parallel with criminal proceedings; however, criminal investigations or prosecutions will generally (though not always) take precedence over the civil proceedings. Where civil and criminal proceedings do proceed in parallel, care will need to be taken in relation to their possible interaction, especially in relation to disclosure.

Section 6 of the Prosecution of Offences Act 1985 enables private individuals or corporates to initiate private criminal prosecutions. A private prosecution begins when a prosecutor applies to a magistrates’ court for the issue of a summons, which will consider whether the relevant requirements have been met. These include that the offences are known to law, the matter is not time-barred and that the court has jurisdiction (R v. West London Metropolitan Stipendiary Magistrate Ex p. Klahn [1979] 1 W.L.R. 933). For some offences, such as those under the Bribery Act 2010, the consent of the Attorney General or the DPP is required before a private prosecution can be instituted. Under section 6(2) of the Prosecution of Offences Act 1985, the DPP also has the right to take over the private prosecution at any stage and may elect to discontinue it. Given rules on double jeopardy and abuse of process, a private prosecution will not be granted permission to proceed where the conduct has already been the subject of a public prosecution.

It may be possible for claimants to access parts of the authorities’ files; some information may be obtained through a written request, while other categories will require an application to court. Individuals may also be able to make ‘subject access requests’ under the Data Protection Act 2018, which would compel investigators or prosecutors to provide the individual with personal data held about them. There are exceptions to the authorities’ obligations to disclose personal data, such as when the information is privileged or relates to another individual, concerns the prevention or detection of crime, or relates to the apprehension or prosecution of offenders.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

Sections 1 and 2 of the Contempt of Court Act 1981 (CCA) set out ‘the strict liability rule’, which provides that it is a contempt of court to publish any matter that creates a substantial risk of serious prejudice or impediment to the course of justice in legal proceedings, regardless of the intention behind the publication. The rule applies only to legal proceedings that are active at the time of publication and publications are broadly defined, including written or oral communications in whatever form, addressed to the public at large or any section of the public. As such, criminal investigations are not extensively reported on until after the end of the trial; before this point, reports must be only factual (detailing facts of the hearings) and not speculative.

If proceedings are not active, but are pending or imminent, contempt of court may also arise under the common law. However, unlike under the CCA, common law publication contempt requires that there was an actual intent to interfere with the administration of justice in those proceedings.

Section 4(2) of the CCA allows the court, where it appears to be necessary for avoiding a substantial risk of prejudice to the administration of justice in any active, pending or imminent proceedings, to order that the publication of any report of the proceedings, or any part of the proceedings, be postponed for such period as the court thinks necessary for that purpose.

In February 2022, in Bloomberg LP v. ZXC [2022] UKSC 5, the Supreme Court clarified that, as a general rule or as a legitimate starting point, an individual (but not a corporate) under criminal investigation has a reasonable expectation of privacy in respect of information relating to that investigation unless and until they are formally charged (referred to as pre-charge anonymity). As such, state bodies and the press will generally not publicly identify any individuals under investigation before they are charged. However, the question of whether there is a reasonable expectation of privacy is fact-specific and a balancing exercise must be undertaken in each case between the right to privacy and the right to freedom of expression.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

For larger corporations, it common to have teams dedicated to public relations (PR) and to take a proactive approach to managing corporate crises and the wider investigation. Although some firms may fully outsource the management of their PR to external PR agencies, others have internal or in-house PR teams or operate a hybrid model with both.

For particularly sensitive matters, such as criminal investigations, legal advice should be sought to ensure that communications do not infringe legal and regulatory requirements. Best practice is for a dedicated crisis management team to be established comprising members of the executive management team, in-house or external legal advisers and PR representatives.

Care should also be taken (1) to ensure that information provided to external PR agencies does not amount to a waiver of privilege (e.g., through disclosing information subject to confidentiality requirements and a limited waiver of privilege) and (2) where litigation is not reasonably in prospect, as communications with third parties (such as PR agencies) may not be protected by privilege.

73 How is publicity managed when there are ongoing related proceedings?

Where there are ongoing related proceedings, corporates will need to take care not to prejudice the proceedings and not to make public statements that could negatively affect potential strategies that the corporate might wish to adopt.

In the deferred prosecution agreement (DPA) context, corporates will also need to be careful not to make any public statement that contradicts the agreed statement of facts, with this often being a formal requirement included within the DPA itself.

In these situations, it is advisable for the PR and legal teams to work closely together, with the legal team reviewing potential statements before they are public.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

Private companies are not required to make disclosures to the market in this regard.

Public companies with shares listed on regulated exchanges (such as the Main Market) are required by the Market Abuse Regulation (EU) No. 596/2014 and the UK Listing Rules to disclose ‘inside information’ (being information of a precise nature that has not been made public, relates directly or indirectly to one or more issuers or to one or more financial instruments and, if it were made public, would be likely to have a significant effect on the prices of those financial instruments) to the market without delay, although a delay can be permitted in certain circumstances.

A corporate must consider its own disclosure obligations on a case-by-case basis. However, in general terms, notification by an authority that the corporate is under criminal investigation for serious offences of significant value is likely to trigger an announcement, as would the disposal of those proceedings such as by way of a DPA. A mere invitation to enter into DPA negotiations is unlikely to be deemed precise enough to trigger an investigation. As DPAs are only effective once approved by the court (and not on reaching an agreement with the authorities), an announcement is typically not made until the DPA has received court approval. In practice, corporates will generally have agreed the wording of market announcements with the prosecutor prior to the final hearing so that an announcement can be made immediately after the DPA is approved.

Environmental, social and corporate governance (ESG)

75 Does your country regulate ESG matters?

ESG matters are coming under increasing levels of regulation and are found in an array of statutes and statutory instruments. Examples of ESG-related measures under English law include the following:

  • Statutory directors of corporates are obliged to act in a way that they consider most likely to promote the success of a company, having regard to a number of ESG-related factors, such as the interests of the corporate’s employees and the effect of the corporate’s operations on the community and the environment (Companies Act 2006 (CA 2006), section 172).
  • Corporates of a certain size are required to issue consolidated strategic directors’ reports within their annual reports (CA 2006, section 414A). These reports are to contain particular ESG-related information relevant to the corporate’s performance over any given financial year, with enhanced obligations for publicly listed (quoted) companies. For private companies over a certain size, the strategic reports must (to the extent necessary for an understanding of the performance of the company’s business) contain an analysis of the corporate’s performance for the financial year by reference to a number of key performance indicators, which include environmental matters and employee matters. Quoted companies’ reports must also include a breakdown of the number of persons of each sex who are directors, senior managers and employees, as well as information about social, community and human rights issues. Directors of companies in default of these reporting requirements can be prosecuted and subjected to a fine.
  • The Modern Slavery Act 2015 requires corporates of a certain size to produce annual slavery and human trafficking statements to be made available publicly that set out the steps taken to deal with modern slavery risks in their supply chains and businesses.
  • Since 2017, private employers with more than 250 employees have been required to report and publish information about their gender pay gap (Equality Act 2010 (Gender Pay Gap Information) Regulations 2017).
  • In early 2022, regulations were enacted that impose obligations on certain large companies and limited liability partnerships to publish climate-related financial disclosures as part of the above-mentioned strategic report (the Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022 and the Limited Liability Partnerships (Climate-related Financial Disclosure) Regulations 2022).

As corporates’ ESG credentials become more important to their customers and clients, some corporates are electing voluntarily to publish reports that go beyond their statutory duties (such as ethnicity pay gap reporting).

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

The Environment Act 2021 came into force in November 2021. This Act, among other matters, provides enhanced enforcement powers to reduce illegal tree-felling, prohibits large companies from using illegally produced forest risk commodities, and required the UK government to adopt long-term targets for air, water, biodiversity, resource efficiency and waste by October 2022. Further environmental regulations may be enacted to meet those targets.

There have been growing calls for the gender pay gap reporting regime in the United Kingdom to expand so as to oblige large organisations to publish their ethnicity pay gaps. In February 2022, the Women and Equalities Select Committee (made up of Members of Parliament) recommended that ethnicity pay gap reporting be a mandatory requirement for those corporates that currently report for gender. Although stopping short of mandating ethnicity pay gap reporting, the UK government has confirmed that it will publish guidance to employers on voluntary ethnicity pay reporting in 2022.

An increasing number of corporates are being subjected to mandatory climate-related disclosures, aligned with the recommendations of the Taskforce on Climate-Related Financial Disclosures (TCFD). In October 2022, pensions schemes with assets of more than £1 billion became subject to the reporting requirements and UK-authorised asset managers with assets of more than £1 billion will be subject to similar requirements from January 2023.

The International Sustainability Standards Board (ISSB) has recently published two exposure drafts relating to climate and general sustainability disclosure requirements (which incorporate TCFD recommendations). The aim of these drafts is to provide the market with a complete set of sustainability-related financial disclosures for entities to make as part of their mandatory ESG reporting. In August 2022, the UK government published a letter to the ISSB expressing broad approval of the drafts and committing to ensure that various UK regulators provide comments on them. It is currently anticipated that these reporting standards will be incorporated into law once finalised.

In May 2022, the UK government issued a call for evidence to support the development of an update to the Green Finance Strategy (a 2019 strategy to make the United Kingdom’s financial system more environmentally friendly). The call for evidence ended in June 2022; at the time of writing, the update had not yet been published.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

The introduction of further ESG reporting duties for issuers may have increased the scope for litigation to be commenced against issuers by investors who have suffered loss as a result of reliance on ESG-related disclosures (e.g., via claims based on sections 90 and 90A or Schedule 10A of the Financial Services and Markets Act 2000 (FSMA)). Section 90 of the FSMA allows investors to sue issuers in relation to untrue or misleading information published in listing documents, whereas section 90A and Schedule 10A (which apply depending on the date of the relevant publication) allow investors to sue issuers on the basis of misleading statements or dishonest omissions in other communications, such as annual reports. Documents within the scope of section 90A may include directors’ strategic reports, which are required to refer to a number of ESG-related factors (see question 75).

Autonomy Corporation Limited v. Lynch and Hussain [2022] EWHC 1178 (Ch) is the first example of a successful claim under section 90A and Schedule 10A of the FSMA. The claimants successfully argued that Hewlett Packard was induced into acquiring a company by dishonest statements and omissions located in published information that misrepresented the target’s revenues.

The Financial Conduct Authority (FCA) confirmed in November 2021 that ESG matters are high on the regulatory agenda, which may mean that we can expect to see more ESG-related enforcement in the future. In a June 2022 report, the FCA confirmed that it was working with the UK government in relation to potential plans to bring ESG data and rating providers within the FCA’s regulatory perimeter as part of efforts to combat greenwashing.

In addition to the above, the number of live investigations under the Modern Slavery Act 2015 has continued to increase, from 118 investigations in December 2016 to 3,335 in August 2021. Abuse in the supply chain continues to receive widespread publicity.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

Corporate criminal liability reform

On 10 June 2022, the Law Commission published an options paper, setting out a series of potential options for the reform of the law on corporate criminal liability (see question 2). Given political developments (including a strengthened desire to fight economic crime as a result of the war in Ukraine) and the pressure from across the political spectrum for reform, corporates may benefit from pre-emptively undertaking risk assessments and identifying any gaps in their policies and procedures focused on the prevention of fraud and other economic crimes.

Anti-money laundering and counter-terrorist financing

In June 2022, HM Treasury published a review into the United Kingdom’s regulatory and supervisory regime in respect of anti-money laundering (AML) and counter-terrorist financing. Building on the United Kingdom’s already extensive regulation in this area and recent developments, such as the Economic Crime (Transparency and Enforcement) Act 2022 (see questions 7 and 16), the review focused on improving the effectiveness of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The review set out proposals for a stronger framework to measure the effectiveness of the MLRs, reforms to simplify the level of enhanced due diligence required for customers in high-risk third countries and options for supervisory reform. The review is indicative of a broader regulatory focus in the current climate on AML and reducing the flow through London of money obtained unlawfully.

Economic Crime and Corporate Transparency Bill

In September 2022, the UK government unveiled the Economic Crime and Corporate Transparency Bill, which proposes to give Companies House new powers to combat money laundering and to extend the powers of the Serious Fraud Office (SFO) under section 2A of the Criminal Justice Act 1987 (CJA). Specifically, the Bill requires anyone who registers a company in the United Kingdom to verify their identity, and gives Companies House new powers to check, challenge and decline incorrect or fraudulent information. Further, while at present the SFO is only able to use its powers of compulsion under section 2 of the CJA in the pre-investigation stage in matters of overseas bribery, the proposed reforms to section 2A of the CJA would allow the SFO to exercise these powers in relation to any potential offending within the SFO’s jurisdiction (including fraud, false accounting and money laundering).

Procurement Bill

In May 2022, the UK government introduced the Procurement Bill, which, among other things, would amend the circumstances in which companies can be debarred from tendering for public contracts as a result of their wrongdoing or other failures. Under the Bill, a corporate can be excluded from tenders if a contracting authority considers that (1) an exclusion ground applies (which may be a mandatory exclusion ground such as a conviction for a serious offence, rendering a company ‘excluded’, or a discretionary exclusion ground, rendering a company ‘excludable’) and (2) the circumstances giving rise to the application of the exclusion ground are likely to occur again. The Bill also provides for the introduction of a debarment list of suppliers, allowing authorities easily to identify and reject unsuitable suppliers in tenders. Suppliers can be added to this list where the UK government has investigated and satisfied itself that the supplier is an excluded or excludable supplier (or where the supplier has refused to comply with an investigation).

Sanctions response to Russia’s invasion of Ukraine

In response to Russia’s invasion of Ukraine, it is likely that the United Kingdom’s sanctions against Russia will broaden in scope. The United Kingdom has already adopted measures targeting broad swathes of the Russian economy and is likely to continue to expand the list of people and entities subject to asset freezes and to impose further sanctions on Russia in consultation with its international partners.

Potential relaxation of rules on financial advice

In September 2022, the Financial Conduct Authority’s (FCA) Executive Director (Markets) gave a speech, setting out the FCA’s intention to review the amount of regulation placed on financial advice regarding concerns that the current rules impose too heavy a burden and deter financial services firms from speaking to customers in a meaningful way. According to the FCA, the costs of compliance with the current regulatory regime mean ‘only the relatively well-off can access advice on what to invest in’, while ‘mass market consumers are often left to navigate a bewilderingly large choice with little support’. The intention, therefore, is that the reform will lead to firms reducing their fees and making advice more accessible.


Footnotes

[1] Simon Airey is a partner, James Dobias is a senior associate and William Merry is an associate at McDermott Will & Emery UK LLP.

Unlock unlimited access to all Global Investigations Review content