Self-Reporting to the Authorities and Other Disclosure Obligations: The UK Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

3.1 Introduction

Whether, when and how a company should report potential misconduct requires an increasingly global (in all senses of the word) view of the risks and benefits involved. Around the world, levels of enforcement action in relation to bribery and money laundering are increasing and remain high. International cooperation between authorities is being expanded and enhanced, and a growing number of jurisdictions are moving towards deferred prosecution agreements (DPAs) and formalised or protected whistleblowing regimes, as part of a general and growing trend towards incentivising corporate self-reporting.[2]

A firm’s voluntary decision to self-report requires directors to evaluate the potential benefits and risks involved in doing so, while complying with their duties under the Companies Act 2006 to consider and act in the best interests of the company as a whole (and to comply with any other mandatory reporting obligations that may apply).[3] Key benefits of self-reporting include the ability to manage the timing and content of the information being provided to the authorities, the potential for securing a DPA (or other negotiated settlement), the reduction of any financial penalties, the maximisation or management of reputational fallout and the obtention of an earlier and more predictable resolution than may otherwise be possible. Particular risks include potential disruptive and damaging action by investigating authorities, damage to share prices, the removal or suspension of senior management, costly internal investigations (including potential regulator involvement and the potential loss or waiver of privilege over key material) and potential civil litigation. The still relatively small body of decided cases in relation to DPAs in the United Kingdom, together with guidance setting out the circumstances in which they will be contemplated and entered into, provide some direction as to whether self-reporting may produce a negotiated outcome.

The stakes for individuals (usually directors) are also higher than ever in the United Kingdom: those working in firms regulated by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) will need to consider how the United Kingdom’s Senior Managers and Certification Regimes (SMCR) may provide those regulators with an easier route to regulatory enforcement action against them, in addition to any criminal and civil liability.

Frequently, questions as to how to deal with internal disclosures made by whistleblowers and, in those circumstances, whether, when and how to self-report matters to authorities, go hand in hand. Similarly, where a firm operates in multiple jurisdictions, any trigger of mandatory reporting obligations in one jurisdiction warrants careful consideration regarding corresponding mandatory or voluntary reporting in others – particularly in light of authorities’ increasingly collaborative approach to (formal and informal) sharing of information.[4]

Self-reporting is therefore a critical decision and can help to conclude regulatory intervention swiftly or even pre-empt it. The decision to self-report is seldom simple and typically involves balancing not only complex questions of fact and (criminal, regulatory and employment) law but also the risks and benefits of doing so. All these considerations also play out against the backdrop of an obvious tension between self-reporting with sufficient speed to obtain or maximise cooperation credit and the chance of a DPA on the one hand and taking the time to investigate an allegation sufficiently to understand whether, when and what to report on the other.

This chapter examines how authorities are using and interpreting self-reporting and whistleblowing frameworks in the United Kingdom and identifies key considerations for firms and their advisers. The extraterritorial reach of several pieces of key legislation (most notably the Bribery Act 2010 (UKBA)) and the comparatively aggressive stance of UK investigating and prosecuting authorities (principally the Serious Fraud Office (SFO)) mean that developments in this country are of interest to firms operating around the world, even if they are based, or undertake most of their activities, outside the United Kingdom.

3.2 Culture and whistleblowing

Self-reporting and whistleblowing are increasingly considered to be fundamental to and indicative of the culture of an organisation. In the wake of the financial crisis and more recent well-publicised instances of corporate misconduct, UK regulators and enforcement authorities have focused on culture as a strategic and supervisory priority.

The first DPA of 2021, agreed by the SFO and Amec Foster Wheeler Energy Limited (AFWEL) in June 2021,[5] elucidates the connection between culture and self-reporting, and the implications for companies that fail to self-report evidence of actual or potential misconduct. The DPA concerned bribery and corruption that occurred in several countries between 1996 and 2014, when AFWEL was known as Foster Wheeler Energy Limited (FWEL). As part of the DPA, John Wood Group PLC, which acquired AFWEL after the SFO’s investigation began, undertook to meet its liabilities. The evidence was that FWEL and its then parent company, Foster Wheeler Limited (FWL), knew about the potential internal corrupt conduct in Saudi Arabia at least as early as October 2007 when its lawyers, Baker Botts, submitted a report that was discussed (and minuted) at a FWL board meeting in November 2007. At that meeting, Baker Botts advised that there was no legal obligation to self-report in relation to the matters discovered. Baker Botts subsequently prepared a risk report in July 2008 regarding potential corruption in four other countries and investigated and discovered evidence of suspected corrupt activities on at least two other occasions before 2010, but no decision was made to self-report to authorities in any country at any point.[6]

In his judgment approving the AFWEL DPA, Lord Justice Edis noted that there could be no criticism of Baker Botts’ advice that there was no obligation to self-report, but held that ‘the proper course’ for the FWL board in November 2007 would have been to report the known facts to the SFO, ‘not as a matter of legal duty, but as a matter of ethical corporate governance’.[7] Edis LJ went further, explaining that there is also a ‘moral duty’ on all individuals (and, by implication, directors and senior managers) and firms to self-report: ‘I accept that there was no legal requirement to report suspected crime to the authorities, but there is a moral duty on all citizens in this respect which extends at least equally to corporations. This failure by the board of FWL was deplorable.’[8]

The effectiveness of anti-corruption policies and procedures is inevitably linked to, and influenced by, a firm’s culture. In AFWEL, the SFO noted that although FWEL had policies and procedures in place to prevent the type of misconduct that occurred, they were circumvented and breached on multiple occasions, which indicated ‘a culture of disregard for compliance’ with them.[9] Edis LJ observed that although FWEL had responded to the external lawyers’ reports in 2007 and 2008 by putting in place certain measures and policy changes, these were ineffective, and the offending individuals identified could continue their misconduct because, while the policies changed, they did not work because ‘FWEL did not want them to’[10] and documents were instead created to conceal FWEL’s engagement of agents to bribe public officials.[11] He found the evidence to be indicative of FWEL’s ‘widespread and high level culture of criminality’.[12]

Edis LJ emphasised that there are valuable lessons to be gleaned from the AFWEL DPA; not only was he clear as to what ‘good’ self-reporting culture involves, but also how FWEL’s actions were an example of ‘the culture which should be discouraged’. He considered that the AFWEL DPA should therefore have the beneficial effect of improving the culture of all firms within the SFO’s jurisdiction by encouraging the self-reporting of wrongdoing when they discover it, including when they find such evidence on acquisition of another entity.[13] Edis LJ also pointed out that ‘a culture of self-reporting is of very substantial benefit to the interests of justice’ in that it should bring to light criminal behaviour that might otherwise go undiscovered, and potentially make investigation easier, and convictions more likely.[14] This factor was cited with approval by Mrs Justice May in giving judgment in the most recent DPAs with the SFO.[15] Similarly, in the most recent DPA entered into by Entain plc (Entain) with the Crown Prosecution Service (CPS), while there was no initial self-report, Dame Victoria Sharp DBE, President of the King’s Bench Division, said that the extent of cooperation by Entain was ‘akin to self-reporting’ and called it exemplary, and further that ‘[t]he DPA should encourage self-reporting, which is of vital importance in the context of the investigation and prosecution of complex corporate crime’.[16]

Financial institutions and firms’ arrangements to encourage and facilitate disclosure of reportable concerns by employees or whistleblowers should allow effective escalation of reportable concerns internally to the appropriate persons or the board, and then for appropriate external escalation and reporting to appropriate bodies, including the FCA, the PRA, the National Crime Agency (NCA) and the SFO. For regulated firms, the relevant systems and controls requirements are aligned with FCA Principle 11 and PRA Fundamental Principle 7, which oblige regulated firms to deal with their regulators openly and cooperatively, including by disclosing anything of which the regulators would reasonably expect notice, and equivalent conduct rules and obligations for senior managers under the SMCR.

The Corporate Compliance Guidance (published in January 2020) makes clear that the SFO will start assessing corporate organisations’ compliance arrangements at an early stage of investigations, and that deficiencies identified will not necessarily preclude an eventual DPA, provided the corporate organisation concerned is taking a ‘genuinely proactive’ approach to compliance. It also states that where DPAs include provisions relating to compliance programmes, the SFO is likely to require the appointment of an external monitor (at the expense of the corporate organisation) to verify that the required improvements are made.

3.3 The evolution of the link between self-reporting and a DPA

Self-reporting is a significant factor in determining a firm’s chances of securing a DPA, and this connection has been the primary driver for self-reporting since the DPA regime was introduced in 2014. Yet, after eight years and 13 DPAs, it is increasingly clear that the relationship between self-reporting and the likelihood of a DPA is not simple or binary: self-reporting in the United Kingdom does not guarantee a DPA or even leniency in sentencing (depending on whether other public interest factors are at play).

DPAs are now an established feature of the UK investigations landscape. There are a variety of sources of useful indications as to the approaches of the SFO and the courts: in the DPAs and the judgments approving them, in cases where DPAs have not been concluded, and in the operation of prosecution guidance in ongoing investigations and negotiations. These indications are set out in more detail below, as part of the analysis of the advantages that may flow from a decision to self-report.

3.4 Obligatory self-reporting

3.4.1 Anti-money laundering and terrorist financing reporting

The sections of the United Kingdom’s anti-money laundering and counter­terrorist financing legislation dealing with reporting are among the most stringent of their type in the world.

In outline, the Proceeds of Crime Act 2002 (POCA) imposes specific obligations on businesses operating in the ‘regulated sector’ to make suspicious activity reports (SARs) to the NCA where they know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering.[17] Failing to report such suspicions is an offence under section 330 and 331 POCA.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLTF Regulations) require firms that are ‘relevant persons’[18] to appoint a nominated officer and to ensure that anyone who is working in the firm, is handling relevant business and has the requisite suspicion in relation to money laundering will make an internal report to the nominated officer, who is then obliged to consider whether to file a SAR.[19] This means that there are (internal) reporting obligations on the individuals working in those firms. For businesses operating in the regulated sector, information triggering reporting obligations is likely to have come to them as a consequence of customer due diligence and monitoring obligations imposed by the MLTF Regulations (or their predecessors, the Money Laundering Regulations 2007).

SARs may include a request to the NCA for ‘appropriate consent’ to enable the reporter to do a particular act in relation to the property concerned, which might otherwise amount to the commission of a money laundering offence.[20] Such SARs have historically been referred to as ‘consent SARs’, although they are now referred to by the NCA as ‘requests for defence against money laundering (DAML) SARs’.

There is a corresponding reporting and consent regime in relation to terrorist financing under the Terrorism Act 2000.[21] In addition, authorities may impose specific obligations on financial institutions, in particular, to report dealings with certain ‘designated persons’.[22]

The relatively low threshold for making a SAR and the natural desire of businesses and the individuals within them to avoid liability (which can include potentially lengthy periods of imprisonment for individuals) means the NCA receives very substantial volumes of DAML SARs, placing a significant strain on its resources.

The number of SARs submitted is high: from 2021 to 2022, over 901,000 SARs were received (an increase of 21 per cent on the previous year). The increase in SAR reporting reflects year-on-year growth; a contributing factor is new SAR reporters in the fintech and cryptocurrency sectors.[23] However, the number of DAML SARs decreased in 2022 by 16 per cent from over 105,000 in 2021 (which had seen an increase of 69 per cent on the previous year)[24] to over 83,000 in 2022.[25] While the number of DAML SARs decreased, the total value denied to suspected criminals as a result of DAML requests increased by 120.6 per cent to £305.7 million.

The United Kingdom’s SARs regime is undergoing a transformation. Following a number of reviews of its effectiveness, including reports by the Financial Action Taskforce in 2018[26] and the Law Commission in 2019,[27] the UK government announced a SARs Transformation Programme to fundamentally reform the SARs model and deliver better IT infrastructure and capabilities, enhanced feedback and a reformed UK Financial Intelligence Unit (FIU) as part of its broader Economic Crime Plan in July 2019,[28] which is designed to tackle fraud and money laundering and sets out how the United Kingdom’s public and private sectors should work together to improve the response to economic crime.

The United Kingdom’s second Economic Crime Plan 2023-2026 (ECP 2) builds on the foundations laid in the first Economic Crime Plan and aims, inter alia, to improve intelligence, feedback and analysis through SARs reform. According to the ECP 2:

The [SARs Reform Programme] has already completed the delivery of increased staff in the UKFIU and Regional Organised Crime Units (ROCUs) and delivered the first beta release of the new SARs Digital Service improving reporting and data quality. Improved collaboration with the National Data Exploitation Centre (NDEC) now means that every SAR is matched against relevant data sets and used multiple times. The programme will also deliver legislative exemptions through the Economic Crime and Corporate Transparency Bill to reduce the regulatory burden on business.[29]

There are two key actions in the ECP 2 associated with the SAR Reform Programme, relating to new technology, analytical tools and completion of UK FIU staff uplift, which are due for delivery during the course of 2023 and 2024.[30]

In practice, a firm’s decision whether and when to file a SAR to comply with reporting obligations or to secure a defence to substantive offences must form part of wider strategic calculations about self-reporting. In many cases, it will be clear which enforcement authorities will be interested in investigating the circumstances that have given rise to knowledge or suspicion of (or reasonable grounds to suspect) money laundering. In such cases, it can make sense to consider providing the information set out in the SAR directly to the relevant enforcement authorities. Doing so when filing a SAR with the NCA (or soon after) can help to secure maximum credit for proactively bringing matters to the attention of the authorities and to expedite obtaining consent to proceed with a transaction.

This was the course taken by Standard Bank plc in securing the United Kingdom’s first DPA with the SFO in November 2015.[31] The SFO, and subsequently the court, highlighted and commended Standard Bank for reporting concerns to the SFO within weeks of the suspicious payment, and within days of filing a SAR.

Finally, alongside ongoing enhancement to the SAR regime, the government is tackling the scourge of illicit money in the economy by increasing transparency of the ownership of real estate and companies. The Economic Crime (Transparency and Enforcement) Act 2022 (ECA) requires any overseas entity that wishes to own UK land to take steps to identify their beneficial owner and to register them with Companies House. Failure to register is a criminal offence. In turn, Companies House will make this new register publicly available alongside the register of people with significant control, which was implemented in 2017 and contains details of beneficial owners of UK companies. Companies House has been granted enhanced investigation and enforcement powers in the Economic Crime and Corporate Transparency Act 2023, intended to ‘improve transparency over UK companies and other legal entities in order to strengthen our business environment, support our national security and combat economic crime, whilst delivering a more reliable companies register to underpin business activity’.[32]

3.4.2 Mandatory sectoral reporting

A company will be subject to a variety of reporting obligations, depending on the nature of its operations, the sector in which it operates and the extent to which (and by which authorities) it is regulated. Each authority will have its own requirements as to the timing, format, content and process for mandatory reports. The key sectoral requirements include reporting:

  • financial sanctions breaches to the Office for Financial Sanctions Implementation (OFSI) (on behalf of HM Treasury);[33] and
  • data security breaches under the General Data Protection Regulation. Breaches must be reported within 72 hours of becoming aware of the breach, to the Information Commissioner’s Office and, in some cases, to the data subjects concerned.

Firms must inform OFSI as soon as practicable if they know, or have reasonable cause to suspect, that a person either is a target (or is acting on behalf of a target) or has committed an offence under the UK financial sanctions regime, where such information comes to the firm in the course of carrying on its business. OFSI’s Monetary Penalty Guidance[34] sets out explicitly that its baseline penalty matrix encourages prompt and complete voluntary disclosure.[35] Voluntary disclosures can receive a 50 per cent reduction on the baseline penalty for cases deemed ‘serious’ or up to 30 per cent for cases deemed ‘very serious’.

Recent enforcement actions show this approach in practice:

  • In June 2021, OFSI fined TransferGo Ltd £50,000 for breaches of the Ukraine financial sanctions regime.[36] The company did not receive any ‘voluntary discount’ because it had only disclosed information pertaining to some relevant transactions in response to formal OFSI information requests.
  • In a related but separate investigation, OFSI fined Clear Junction for contravention of the same Ukraine financial sanctions regime, awarding Clear Junction a reduction of 26.7 per cent for the voluntary disclosure of some, but not all, of the transactions.[37]
  • In the penalty against Tracerco Limited, announced in June 2022, Tracerco made a voluntary disclosure; therefore, the penalty included a reduction of 50 per cent in line with OFSI’s published guidance.[38]
  • In the most recent enforcement action against Wise Payments Limited, announced in August 2023, OFSI gave weight to, among other things, Wise’s voluntary disclosure in deciding not to impose a monetary penalty and instead use its new power to publicise the breach.[39]

3.4.3 DPAs and regulatory and private agreements

Firms may have self-imposed reporting obligations. Reporting obligations are often built into DPAs, ongoing monitorship agreements or other agreements with regulators in relation to historical criminal or regulatory failings, for example. Where a firm has a history of such failings, it is also not uncommon for parties to key transactional and financial agreements to insist on similar reporting obligations, often tied to its mandatory or regulatory reporting obligations to particular authorities. In all cases, these obligations may have short reporting windows: firms should be familiar with them and act without undue delay.

Separately, firms may be obliged to bring the fact of an investigation, or the circumstances giving rise to it, to the attention of a host of potentially interested parties. These may include contractual counterparties, markets on which they are listed, affected customers or investors, and insurers. It is highly likely that contractual arrangements and legal and regulatory frameworks will vary across the jurisdictions in which firms operate (e.g., applicable public procurement requirements for contracting with government entities). It is often advisable to conduct an early analysis of the potential collateral consequences of historical wrongdoing and any investigation, prosecution or negotiated outcome.

3.4.4 Self-reporting to the FCA and PRA

The FCA and, in the case of dual-regulated firms, the PRA are responsible for the conduct of firms authorised under the Financial Services and Markets Act 2000 (FSMA). Of particular relevance is the responsibility for ensuring that the firms and individuals regulated by it establish and maintain effective, proportionate and risk-based systems and controls to ensure that they cannot be used for the purposes of financial crime.[40]

The FCA Handbook and the PRA Rulebook contain detailed rules and guidance on their requirements in this area. These provisions supplement the overarching obligations on regulated firms and individuals to maintain an ‘open and cooperative’ relationship with the FCA and PRA and to ‘disclose . . . appropriately anything relating to the firm of which [the relevant regulator] would reasonably expect notice’.[41] In practice, these broad principles-based requirements oblige regulated firms and individuals to notify the FCA or the PRA, or both, not only of circumstances that may amount to breaches of rules set out in the FCA Handbook or the PRA Rulebook, but also of investigations and other matters that may affect the fitness and propriety of individuals, or the ability of firms to satisfy the threshold conditions required to be authorised to carry on particular regulated activities.

In recent years, the FCA has increasingly used its enforcement powers against firms and individuals for breaches of their duties of openness and transparency or for failures proactively to bring matters to the FCA’s attention.[42] In a number of other cases substantial penalties have been imposed on firms and individuals simply for failing to comply with obligations to notify the regulator.[43]

In a number of other areas, firms and individuals must proactively bring particular matters to the attention of the FCA, which may in due course give rise to intensified supervision, or enforcement investigations, or both. Key examples include obligations to file suspicious transaction and order reports under the Market Abuse Regulation and requirements for firms to notify the FCA (or PRA, as appropriate) of breaches of the Conduct Rules by senior managers, certified persons or other employees under the SMCR. The timescales for such notifications and the level of detail required also vary significantly depending on the circumstances.

The FCA also acts as the UK Listing Authority, meaning that companies listed in the United Kingdom (and their directors) must behave in an open and cooperative manner,[44] which means that listed companies and their directors have to notify the FCA of potentially significant investigations.

None of the mandatory reporting obligations described above exists in a vacuum. The FCA in particular collaborates closely with other enforcement authorities, both within the United Kingdom and internationally.

Notwithstanding its ability to prosecute criminal offences, there have been several examples in recent years of cases in which it has supplied information to and otherwise coordinated its action with other authorities, including, notably, the SFO.[45] In March 2021, the FCA launched its first criminal prosecution for offences under the Money Laundering Regulations 2007, in the first prosecution of a bank, NatWest, for such offences.[46] The announcement followed a number of record fines by the FCA and HM Revenue and Customs for non-compliance with money laundering regulations[47] and may mark the start of a more robust approach.[48] NatWest pleaded guilty to the charges in October 2021 and sentencing took place in December 2021.[49] Mrs Justice Cockerill ordered NatWest to pay a fine of £264.8 million, even though the judge agreed that NatWest was not complicit in the underlying criminal money laundering by its customer.[50]

The remainder of this chapter considers self-reporting in relation to the SFO and, to the extent relevant, the FCA, in relation to financial crime issues.

3.5 Voluntary self-reporting to the SFO

The SFO’s decision as to whether to prosecute a corporate organisation will be governed by a combination of the Full Code Test in the Code for Crown Prosecutors,[51] the Guidance on Corporate Prosecutions,[52] (in relevant cases) the Joint Prosecution Guidance of the Director of the SFO and the Director of Public Prosecutions on the Bribery Act 2010 (the Joint UKBA Guidance)[53] and the Deferred Prosecution Agreements Code of Practice (DPA Code). Prosecutors will also follow the Guidance in the relevant chapters of the SFO’s internal Operational Handbook, three of which have been published in the interests of transparency since late 2019 (i.e., the Corporate Co-operation Guidance,[54] the Guidance on Evaluating Corporate Compliance Programmes (Corporate Compliance Guidance)[55] and, most recently, the Guidance on Deferred Prosecution Agreements (DPA Guidance)).[56] Former SFO Director Lisa Osofsky explained that, in combination, those sources:

instruct us to take into account the existence of effective compliance programmes and speedy self-reporting. It is about incentivising the private sector to cooperate in preventing crime, to be willing to report it if it occurs nonetheless, and to cooperate when we investigate and prosecute those who have transgressed.[57]

The SFO will prosecute if there is a realistic prospect of conviction on the evidence and it is in the public interest to do so. The fact that a firm has reported itself will be a relevant consideration to the extent set out in the Guidance on Corporate Prosecutions. The Guidance explains that, for a self-report to be a public interest factor tending against prosecution, it must form part of a ‘genuinely proactive approach adopted by the corporate management team when the offending is brought to their notice’.[58]

The SFO has long stated expressly, and has reiterated most recently in the Corporate Co-operation Guidance, that self-reporting is no guarantee that a prosecution will not follow and that each case will turn on its own facts.[59] This is consistent with the approach of the CPS in 2018 in R v. Skansen Interiors Ltd,[60] the first contested case in relation to the corporate ‘failure to prevent’ offence under the UKBA. Skansen was prosecuted despite self-reporting to the NCA and extensive cooperation with the CPS in the ensuing criminal investigation, including by disclosing privileged material. The CPS justified its decision to prosecute rather than pursue a DPA on grounds that Skansen was a dormant company and could neither pay a fine nor comply with the terms of any DPA, and that it wanted to send a message to smaller companies regarding the importance of having effective anti-bribery and corruption procedures in place, rather than relying on ‘company values’ to establish proper compliance and conduct.

In appropriate cases, the SFO may use its powers under proceeds of crime legislation as an alternative (or in addition) to prosecution.[61] If the SFO uses those powers, it will publish its reasons, the details of the illegal conduct and the details of the disposal.[62]

3.6 Advantages of self-reporting

3.6.1 Cooperation credit

Most firms will consider that the primary advantage of making a voluntary self-report is cooperation credit, particularly if the firm is seeking a DPA. This reflects the DPA Code, which lists cooperation as an additional public interest factor tending against prosecution.[63] As noted earlier, however, self-reporting does not guarantee a DPA.[64]

Self-reporting and cooperation overlap. This overlap exists because the UK DPA regime does not draw a bright line between self-reporting and cooperation to determine whether a DPA is appropriate or any penalty reduction. Self-reporting is instead an element subsumed within cooperation, whereas the United States distinguishes between self-reporting (deserving the fullest credit) and cooperation (deserving less). Self-reporting is a less significant condition for securing a DPA in the United Kingdom – a position that has been widely criticised as undermining the regime’s effectiveness.

In practice, under the UK regime, cooperation exists along a spectrum, where certain factors or steps move a firm nearer or further from the prospect of prosecution or a negotiated outcome. The DPA Code, for example, requires cooperation to be ‘genuinely proactive’ and lists as examples of cooperative behaviour ‘identifying relevant witnesses, disclosing their accounts and the documents shown to them . . . [and] where practicable it will involve making the witnesses available for interview when requested’.[65] Firms can find indications of what factors and steps are important on the cooperation spectrum in other guidance documents, DPAs and related judgments, many of which are considered below.

Announcing the release of the DPA Guidance in October 2020, then SFO Director Lisa Osofsky noted: ‘Over the past six years, we at the SFO have been developing our approach to negotiating and entering into DPAs, and in turn, establishing best practice. Publishing this guidance will provide further transparency on what we expect from companies looking to cooperate with us.’[66] In broad terms, three elements (i.e., timely self-reporting, proactive cooperation and implementation of effective compliance remediation) will determine, to a greater or lesser degree, the level of cooperation credit a firm may receive.

The Joint Guidance on Corporate Prosecutions lists cooperation as a factor tending against prosecution, but instructs prosecutors first to establish whether the firm has provided sufficient information about its operations ‘to assess whether the company has been proactively compliant’ including ‘making witnesses available and disclosure of the details of any internal investigation’.[67]

In approving DPAs between the SFO and Standard Bank, Sarclad Ltd[68]and Rolls-Royce, Sir Brian Leveson spoke positively of the cooperative stance adopted by each of those firms, as did Mr Justice William Davis, approving the DPAs agreed with Serco and Güralp, and Dame Victoria Sharp, approving the DPA with Airbus.

The SFO’s Corporate Co-operation Guidance[69] ‘does not seek to set out exhaustively what will be required in order for a corporate organisation to be considered as genuinely co-operative’, since ‘there will be dialogue in every case about what will be expected of the corporate organisation concerned’.[70] It notes in general terms that:

Co-operation means providing assistance to the SFO that goes above and beyond what the law requires. It includes: identifying suspected wrong-doing and criminal conduct together with the people responsible, regardless of their seniority or position in the organisation; reporting this to the SFO within a reasonable time of the suspicions coming to light; and preserving available evidence and providing it promptly in an evidentially sound format.

Non-exhaustive as it declares itself to be, it does add some detail (and confirm previous public statements) as to what is good practice and lists steps firms should take, including regarding the preservation and production of relevant digital and hard-copy information; evidence of financial records and analysis (to ‘show relevant money flows’); the provision of industry and background information (including about other actors in the market and whether any other government agencies are aware); and taking witness evidence (including an expectation that cooperating firms will waive privilege over witness accounts).

However, to understand the effect of any such cooperation, companies and practitioners still must look to the DPA Code, which sets out prosecutors’ expectations regarding self-reporting. In deciding whether a DPA is appropriate, along with other factors relating to the nature and seriousness of the offending, prosecutors must evaluate whether the firm has been ‘genuinely proactive’ in its approach.[71] Proactiveness is measured by reference to factors including the timing of the self-report and how comprehensive, relevant and useful the material is (particularly as regards any potential action against individuals). Timing

The DPA Code,[72] the SFO’s Corporate Co-operation Guidance[73] and the DPA Guidance make it clear that firms wishing to obtain as much cooperation credit as possible should not wait until they have carried out their own detailed internal investigation before self-reporting concerns about possible wrong­doing.[74] The Corporate Co-operation Guidance and the DPA Guidance reiterate previous general indications that self-reporting should occur ‘within a reasonable time’ of the firm becoming aware of the relevant matters.

What is clear is that prosecutors expect to receive an initial notification of circumstances giving rise to concerns that criminal wrongdoing may have occurred. They do not expect or wish to receive a completed investigation report. As is set out in the DPA Code, the Corporate Co-operation Guidance and the DPA Guidance, they expect to be involved in the investigation at the planning stage and certainly before any witness interviews are conducted.[75] In cases where firms discover evidence of significant historical wrongdoing that is not already known to prosecutors and may suitably be resolved through a DPA, they should consider making an initial notification to the SFO (or the CPS, if appropriate) at the same time as they file SARs or other statutory reports (in the United Kingdom or abroad).

The timing of a self-report relative to any details entering the public domain is particularly important. The DPA Guidance specifically highlights that self-reporting should be made ‘voluntarily, that is without the threat of imminent disclosure by a third party or compulsion’.[76] That it was still possible for the SFO to conclude a DPA with Rolls-Royce in 2017 despite some details of wrongdoing already being known to the SFO illustrates that this is just one factor informing a prosecutor’s approach and does not by itself determine whether a DPA will follow.[77] However, Sir Brian Leveson, then President of the Queen’s Bench Division, noted that Rolls-Royce was anomalous in this regard, and that for Rolls-Royce to obtain credit for self-reporting in DPA negotiations it was necessary for the company to provide ‘extraordinary’ cooperation and to notify the SFO of matters ‘of a different order’ from those it would otherwise have known.[78] Absent such extraordinary co­operation and disclosure, it is clear that a failure to notify the SFO of matters before they become public (or before negative headlines are threatened or imminent) will jeopardise the prospects of successfully negotiating a DPA.

The DPA Code’s focus on proactive and timely self-reports is illustrated by the January 2020 DPA agreed with Airbus SE.[79] Airbus received a degree of cooperation credit for having initially reported corruption concerns to a UK government body that Airbus knew was required to report onward to the SFO, effectively forcing Airbus to self-report. Airbus had initially identified concerns about business partners from late 2013 and took steps to address them from early 2014. In April 2015, the UK government body from which Airbus obtained export credit financing, UK Export Finance (UKEF), queried the lack of information in certain declarations required of Airbus as part of UKEF anti-bribery due diligence. Crucially, it notified Airbus at the time of its queries that it had to report any suspicions of corruption to the SFO. This prompted Airbus to investigate and make fuller disclosures to UKEF in January and March 2016. Having received Airbus’ fulsome disclosure, UKEF informed Airbus that it would notify the SFO and that its strong preference was for Airbus also to do so. Both UKEF and Airbus reported to the SFO on 1 April 2016, and Airbus met with the SFO a week later.

Edis LJ was at pains to emphasise the significance of the timing of a self-report in his judgment approving the AFWEL DPA in March 2021. Edis LJ considered that failing to self-report at the time the facts were discovered was an aggravating factor because so much time had been able to pass, not only since the first Baker Botts report in 2007 but also since the offending itself occurred. The Baker Botts reports were historical and related to conduct some time before. Edis LJ noted that this ‘means that it may be more difficult to investigate and prosecute individual offenders now’.[80] Significantly, offending only began in Brazil three years after the board had received the external lawyers’ reports of similar misconduct in other countries in 2007 and 2008. Edis LJ considered that self-reporting in 2007–2008 might have prevented the spread of misconduct to other countries but conceded that given ‘that corruption appears to have been endemic then and at a very high level, it may be doubted that this would ever have happened’.[81]

In her judgment in the Bluu Solutions Limited and Tetris-Projects Limited DPAs, May J commended the companies’ prompt self-reporting, and accepted that the timing of the self-report was significant, which she noted ‘provide an example of proactive and responsible conduct following discovery of criminality which is greatly to be encouraged’.[82] Continuing cooperation

It is not only the timing of an initial notification that matters. To demonstrate the requisite level of cooperation for a DPA to be appropriate, firms must also remain appropriately engaged with prosecutors as investigations progress. The DPA with G4S Care and Justice (UK) Limited (G4S) in July 2020 provides an illustration.[83] In that case, the company and its representatives sustained the possibility of a DPA for approximately six years after its initial notification to the SFO, only opting to increase levels of active cooperation in October 2019, with the concerted aim of concluding the DPA. Approving that DPA, Mr Justice William Davis made clear that ‘initial reluctance’ in cooperation would not preclude a DPA but is relevant to the reduction to be applied to the financial penalty element, which, for G4S, was set at 40 per cent rather than 50 per cent as in all other UK DPAs to date other than that agreed with Standard Bank.

Similarly, as described above, in approving the Airbus DPA, Dame Victoria Sharp found that despite ‘what might be described as a slow start’, Airbus had thereafter ‘co-operated with the prosecuting authorities conducting the investigations to the fullest extent possible’. Sharp P attached particular weight to the fact that Airbus accepted from the earliest stage in its dealings with the SFO that the UKBA gave the SFO extended extraterritorial powers (and cause for interest) in relation to conduct that had occurred almost exclusively overseas, which she acknowledged was ‘an unprecedented step’ for a company domiciled in France and the Netherlands.[84] Airbus’ slow start was not considered sufficiently substantial to merit any reduction to the discount applied to the financial penalty element of the DPA, however.[85] As Sharp P noted, ‘there is no necessary bright line between self-reporting and co-operation’.[86]

G4S and Airbus remained on the correct side of the lines around the timing of (and rationale behind) initial notification and the levels of subsequent cooperation. The SFO, however, considered that both lines had been crossed by Sweett Group plc, which was prosecuted in December 2015 for failure to prevent bribery under the UKBA. Sweett had self-reported on learning that a newspaper intended to publish allegations of involvement in bribery in connection with Middle Eastern construction consultancy agreements. As noted above, the recent DPA Guidance specifically highlights that self-reporting due to ‘imminent threat’ of disclosure undermines the ‘voluntary’ quality of the report. Although informal discussions about DPAs did commence at one stage, Sweett was deemed to have been uncooperative for much of the investigation, leading ultimately to its prosecution, conviction and the imposition of a fine of £2.25 million in February 2016. Waiving privilege

The Corporate Co-operation Guidance and DPA Guidance are clear that firms cannot be compelled to waive privilege over relevant materials or be penalised for not doing so. In practice, maintaining privilege will effectively be a factor tending in favour of prosecution. For now, the Guidance has to be read together with the body of case law relating to DPAs in the United Kingdom.

In these cases, ‘genuine and proactive’ cooperation has manifested itself largely through pragmatic decisions by firms to waive privilege on a limited basis and to make material available voluntarily (i.e., without requiring the SFO to use powers of compulsion, although the Corporate Co-operation Guidance and DPA Guidance confirm if the SFO perceives a need to use its powers of compulsion, it will not necessarily mean that the firm concerned is not suitably cooperating).

Airline Services Limited provided access under a limited waiver of privilege not only to material from its internal investigation into the conduct and contracts forming the subject of its self-report and DPA, but also in relation to an earlier internal investigation into conduct involving a different agent and related contracting arrangements.[87] G4S also provided access to all interviews conducted by its lawyers and accountants under a limited waiver of privilege. In the Bluu Solutions and Tetris-Projects DPAs, May J regarded the extent of the companies’ cooperation as ‘a significant factor in [her] decision’ for which reason she chose to set out ‘at length’ what that cooperation had involved. Their cooperation included providing ‘a limited waiver of privilege in relation to a significant amount of material, including pre-acquisition due diligence reports, lawyer’s notes on the interviews of witnesses during the internal investigation, some internal correspondence and external legal advice’.[88]

In all cases it has been crucial to show a clear separation from the individuals alleged to have been involved in wrongdoing and a commitment to providing material for use in prosecuting any culpable individuals. However, there has only been one successful prosecution of an individual arising out of conduct in respect of which the corporate entity entered into a DPA, namely Roger Dewhirst, who pleaded guilty on 31 May 2021 to two counts of accepting or agreeing to receive bribes contrary to section 2, paragraphs (1) and (2) of the UKBA.[89]

3.6.2 Leniency or reductions at the penalty stage

Self-reporting and subsequent cooperation are also relevant at later stages in the UK criminal justice process. The Sentencing Council’s Definitive Guideline[90] (effective from 1 October 2014 in relation to the sentencing of corporates for fraud, bribery and money laundering offences and considered in setting financial penalties under a DPA) takes into account a firm’s culture in the event of a conviction.[91]

The Guideline sets out steps to assist courts in determining the appropriate fine. The first is to establish the harm caused by the offending. For example, for a bribery offence, the starting point for the calculation is the ‘harm figure’ – the gross profit from the contract obtained. Once a harm figure has been determined, the court establishes the ‘culpability’ factor by reference to a scale in the Definitive Guideline (from ‘A’ for high culpability down to ‘C’ for lesser culpability). Each level of culpability has attached to it a range of multipliers to apply to the harm figure. In determining exactly which multiplier to apply, the court must take into account many factors. One is cooperation with the investigation (which includes, and is not separate from, self-reporting), which the Definitive Guideline lists as reducing the culpability multiplier.

The cooperation reductions applied by the SFO to date have been significantly more generous than those of its US counterpart. The UK legislation requires any financial penalty forming part of a DPA to be broadly comparable to the fine a court would have imposed following a guilty plea.[92] In the very first DPA (with Standard Bank plc) in 2015, the SFO and the court had followed the legislation and the DPA Code to the letter by providing a discount of one-third – equivalent to the reduction ordinarily afforded a guilty plea at the earliest opportunity under the existing sentencing principles and guidelines. Ever since, however – presumably on the basis that incentivising self-reporting and cooperation would require companies to receive more credit than they might ordinarily get in return for a simple (early) guilty plea – in all but one of the DPAs in which the SFO has applied a cooperation discount to date, the discount has been set at 50 per cent. A 50 per cent discount was also applied in the most recent DPA agreed with the CPS.

The SFO has drawn criticism for undermining the effectiveness of the United Kingdom’s DPA regime, with its over-generous approach to cooperation credit in penalty reductions. In February 2020, Transparency International and Spotlight on Corruption called in an open letter for then SFO Director Lisa Osofsky to review the regime (in conjunction with the Attorney General’s Office and the CPS) and urged the SFO to follow the US approach to the distinction between self-reporting and cooperation, so that self-reporting would be a more significant condition for securing a DPA.[93] The letter’s argument that the absence of this distinction creates perverse incentives for firms to wait until after wrongdoing has been discovered by authorities, and then make a virtue of cooperation, is neither novel nor isolated.

Arguably, financial services firms have less scope for truly voluntary self-reporting because Principle 11 requires disclosure of ‘anything relating to the firm of which that regulator would reasonably expect notice’,[94] and the SMCR imposes corresponding obligations on senior managers.[95] The FCA sets out a non-exhaustive list of factors relevant to determining whether to issue a financial penalty or public censure in its Decision Procedure and Penalties Manual (DEPP), which includes ‘how quickly, effectively and completely the person brought the breach to the attention of the FCA or another relevant regulatory authority’.[96] If the FCA decides to take action against a firm, DEPP operates similarly to the Definitive Guideline in setting an appropriate level, noting that ‘the conduct of the firm in bringing (or failing to bring) quickly, effectively and completely the breach to the FCA’s attention’ is one of the factors for increasing or decreasing the fine.[97]

3.6.3 Demonstrating culture and the strength of systems and controls

Effective self-reporting indicates a good corporate culture. Firms that have taken the necessary steps to institute a good culture supported by robust systems and controls will expect that any matters involving wrongdoing would be quickly reported internally via their whistleblowing procedures and either escalated or reported to the relevant authorities, or both, as appropriate. Further, self-reporting can be used as part of a firm’s ‘reasonable procedures’ defence if charged with one of the corporate failure-to-prevent offences, such as the failure to prevent bribery under section 7 of the UKBA, or the failure to prevent the facilitation of UK or foreign tax evasion under the Criminal Finances Act.[98]

Conversely, a regulated firm’s failure to identify and self-report wrongdoing could indicate a breach of the FCA’s requirements for such firms to:

establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.[99]

3.6.4 Information control

Firms often think that choosing to self-report will enable them to retain control over the information that they disclose. In practice, however, the SFO and FCA’s insistence on effective self-reporting means that firms will have to provide as complete an account as possible of the wrongdoing concerned, and hand over particular investigative work-products (or categories of work-product) already created. Public companies will also have to give careful consideration to their obligations to make market announcements.

Given the stance adopted by the FCA and SFO, one of the key benefits to self-reporting is that the firm has some control over the timetable (as compared, for instance, with a dawn raid) and is therefore able (having taken advice on any market abuse risks) to notify key stakeholders of the self-report and to prepare an appropriate media strategy.

3.7 Risks in self-reporting

It should be clear that self-reporting in the United Kingdom does not guarantee a DPA or even leniency in sentencing. In most cases, a firm will only be able to gauge its DPA prospects relatively late in a process during which it will usually have provided a significant amount of information, documents, investigation reports and even witnesses for interview, having possibly waived privilege.[100] The G4S DPA of July 2020 indicates that in some circumstances a firm may postpone its decision about whether to engage more fully until a relatively late stage in the investigation. That said, it would be risky for firms to regard G4S, which was rooted in a very particular factual context, as a guide to the approach prosecutors may take in future.

The relevant chapters of the SFO’s Operational Handbook contain express warnings to firms that none of their provisions concerning its expectations around self-reporting and cooperation is legally binding and should not be taken to create any rights, liabilities or expectations. In a slightly different context, Soma Oil & Gas Limited v. Director of the Serious Fraud Office[101] provides an illustration of the expense, difficulty and disruption associated with seeking to force the SFO to bring about a conclusion to an investigation. Firms therefore need to evaluate the risks and costs inherent in making self-reports carefully. Some key risks and practical considerations are set out below.

3.7.1 Interest and potential investigation in other jurisdictions

There is always a risk of contagion: it is the nature of complex bribery, fraud and corruption that it crosses borders and can implicate authorities in multiple jurisdictions. Self-reporting to a regulator in one jurisdiction may draw the attention of other regulators, domestically or abroad. The benefits and risks of reporting are seldom consistent or certain across jurisdictions, since procedures, techniques or demands in conducting their investigations and taking enforcement action inevitably differ.

Increasingly, regulators are sharing information and seeking to collaborate in enforcement actions. As long ago as 2010, the US Department of Justice and the SFO worked together in investigating BAE Systems plc,[102] and such cooperation has since become routine. International cooperation often goes beyond formal mutual legal assistance requests, to encompass informal intelligence sharing (sometimes in advance of formal investigation in any jurisdiction), coordination or division of responsibility on issues for enforcement, and even formal programmes by which to enhance understanding and assist with capacity or resourcing. This has included (and continues to include) SFO secondments by prosecutors from US and Singaporean authorities and an expanding list of memoranda of understanding with overseas counterparts. The Airbus global settlement incorporating DPAs negotiated by the SFO and the US Department of Justice and an analogous convention judiciaire d’intérêt public (CJIP) with the Parquet National Financier in France is the most significant example of such coordinated action to date.

While there are legal limits to the extent of information sharing and collaboration between authorities, firms need to be strategic in their conduct across all countries. For example, US law significantly limits the use (or derivative use) of defendants’ foreign compelled testimony in US criminal proceedings against them.[103] The provision of evidence or interview testimony is commonly compelled in the United Kingdom,[104] which means that there is a real risk that firms may fall foul of those limits (even inadvertently, as part of routine updates or reports on progress or developments in parallel investigations) and negate any cooperation credit otherwise achieved in the United States.

3.7.2 Privilege and authorities’ involvement in the internal investigation Legal advice in relation to internal investigations

A key concern for all firms considering and investigating suspicions or allegations of wrongdoing is to establish clearly at the outset that its board, or any committee with oversight of internal investigations, is authorised to seek and receive legal advice in relation to the investigation to ensure that updates to these bodies and related documents will be protected by legal professional privilege. Material generated during internal investigations

A significant concern in the context of internal investigations centres on the material generated during an internal investigation, including any investigation work and work-product that may have preceded the self-report. This material typically includes interview notes and summaries of key documents and issues.

The UK authorities are adamant that to self-report in any meaningful sense, firms must provide sufficiently detailed information about the wrongdoing. The SFO states: ‘All supporting evidence including, but not limited to emails, banking evidence and witness accounts, must be provided to the SFO’s Intelligence Unit as part of the self-reporting process.’[105] A key question when considering a self-report is therefore whether the firm is prepared to disclose its full interview notes, the privileged status of which has been subject to heated debate in the United Kingdom in recent years.[106]

If a further illustration of the potential complexities and follow-on implications of DPAs were needed, it is provided by Omers Administration Corporation and others v. Tesco plc.[107] In a judgment handed down in January 2019 in civil proceedings pursued by investors for losses they claimed resulted from the conduct forming the basis of the DPA agreed between the SFO and Tesco Stores Limited, Mr Justice Hildyard ordered disclosure of documents in the possession or control of Tesco plc. These included some documents provided to it by the SFO, which had been obtained from third parties through the use of the SFO’s compulsory powers under section 2 of the Criminal Justice Act 1987, and transcripts of interviews with, and witness statements of, third parties. The conflict between Tesco plc’s obligations to keep these documents confidential pursuant to an undertaking provided to the SFO as part of the DPA negotiation process, and its disclosure obligations in the follow-on litigation pursued by investors under the FSMA, generated substantial ancillary litigation and a costly and involved process of seeking representations from third parties. The proceedings serve as a reminder that although a DPA may avoid the need for protracted criminal proceedings, it provides no guarantee of finality in respect of (and indeed may provide oxygen for) associated civil (or regulatory) proceedings. Waiving privilege

The SFO has maintained for some time that firms wishing to cooperate with the SFO need to give serious consideration to waiving privilege, and that it is ready to challenge any overly broad claims to privilege. The Corporate Co-operation Guidance reinforces that approach. It notes that a firm’s claim to privilege must be properly established, that any claim should be supported by independent counsel and that the Court of Appeal ruling in ENRC ‘has not ruled out a court’s consideration of the effect of an organisation’s non-waiver over witness accounts in determining whether a proposed DPA is in the interests of justice’.[108]

In deciding whether to acquiesce in providing witness accounts and other privileged materials, a company will need clear advice as to the risks involved in waiving litigation privilege, even on a limited basis, at such an early stage, particularly before it is clear whether a settled resolution is likely and especially where multiple authorities may be involved. The shield of litigation privilege is clearly of paramount importance to any firm defending criminal or regulatory enforcement proceedings where, very commonly, civil litigants will be waiting in the wings and in jurisdictions such as the United States, where the concept of limited waiver does not exist. Involvement of authorities in internal investigation

Having ensured that the internal investigation is suitably established for privilege purposes, another critical concern for any firm will be the likelihood of potential involvement in – or loss of control of the scope, timing and conduct of – its own investigation. The former Director of the SFO, Sir David Green KC, made it clear that the SFO might specify particular areas or issues to be included in the firm’s investigation and how the investigation ought to be conducted in relation to particular issues or persons, and provide updates to the SFO, usually within agreed time frames.[109] He explained the SFO’s influence or imposition into internal investigations as being necessary to avoid ‘churning up the crime scene’ and compromising the SFO’s own investigation. This, again, is reinforced in the Corporate Co-operation Guidance. Similar sentiment was expressed by Mark Steward, the FCA’s former Head of Enforcement, who referred to ‘the crime scene being trampled over’.

3.7.3 Impact on witness interviews

In addition to influencing the scope of an internal investigation, UK authorities may also influence a firm’s ability to conduct witness interviews after self-reporting, whether by prohibiting the firm from conducting interviews with certain individuals, or by requiring the firm to delay them until the authority has conducted its own interviews. In Rolls-Royce, for example, Sir Brian Leveson noted that when the SFO commenced its own investigation, Rolls-Royce had not only provided access to its internal investigations and interview notes (by a limited waiver of its claims for legal professional privilege over them) but also deferred its own interviews until after the SFO had done so. Similarly, May J noted that Bluu Solutions Limited and Tetris-Projects Limited ‘complied with the SFO’s request not to pursue further lines of enquiry or speak to witnesses without the SFO’s prior consent’.[110]

3.7.4 Scrutiny, including potential monitoring obligations

A DPA or settled resolution will always include a number of non-financial terms and conditions. While these will often be fact-dependent and tailored to the wrongdoing involved and the state of the firm’s remediation at the point of agreement, the DPA Code includes a list of terms that may be agreed as part of a DPA, including requirements for putting in place a robust compliance or monitoring programme, or both, which may include the appointment of an independent monitor.[111]

While the imposition of a corporate monitor is not compulsory, the DPA Code provides lengthy guidance as to monitors’ roles and appointment, and notes that the imposition of a monitor ‘must always be fair, reasonable and proportionate’.[112] Where a monitor is required, the costs to the firm can be significant. Not only will the firm have to pay the monitor’s fees but it will also have to pay the costs associated with the selection, appointment and reasonable ‘monitoring’ costs of the prosecutor during the monitoring period.

There are indirect or non-financial costs, too. The monitor must be given complete access to all relevant aspects of the firm’s business, and the firm will need to allocate resources to ensure that the monitor is provided with the information and cooperation required and to establish the systems and controls necessary to effect the remediation agreed with the regulator.

These costs have attracted a degree of judicial and corporate scepticism and criticism in the United Kingdom and the United States. Such criticism notwithstanding, the appointment of a monitor (in one form or another) is likely to feature regularly in DPAs in the future, as had previously been the case in civil recovery orders[113] or criminal court orders,[114] which were the SFO’s preferred means of imposing monitorships before the introduction of the DPA regime provided it with a statutory basis for doing so.

However, the DPAs concluded to date surely illustrate that a distinctive feature of the UK DPA framework is its flexibility; prosecutors negotiating and judges approving DPAs in the United Kingdom have significant discretion to decide the nature and extent of any monitoring and reporting arrangements that may be necessary or desirable as part of the remediation elements of DPAs.

3.8 Practical considerations, step by step

3.8.1 Reaching the decision

Sometimes the decision to self-report may be clear-cut or the only sensible option (particularly where a whistleblower has made serious allegations). More often, however, it will be necessary to conduct an internal investigation to test the information underlying the concerns and to ensure that any report made to authorities is as complete and accurate as possible. How long this takes will depend on a range of factors, including where and when the alleged conduct took place, the number of individuals allegedly involved, and the availability of relevant documents and individuals for interview.

It is critical for the decision to self-report to be taken by directors who are independent of the underlying events or issues, in conjunction with appropriate legal advisers, and suitably documented. An essential first step is immediately preserving all relevant documents, and ensuring that the investigation is carefully scoped and proceeds expeditiously.

There is no one ‘correct’ approach to investigating disclosures, allegations or whistleblowers’ reports. What is necessary and appropriate will vary significantly depending on factors including the jurisdictions, personnel and business areas implicated. The following key principles may, however, help firms to respond decisively and consistently to disclosures of alleged misconduct, and to protect their interests when they do. Clear communication

Clear communication underpins a successful response to a disclosure, particularly where a whistleblower is involved. Carefully delineated channels must be in place to enable staff receiving disclosures (whether through a dedicated hotline or other less formal channels) to escalate them quickly and to the appropriate people. In particular, policies and procedures should name a designated member of the senior management (typically in its legal or compliance function) who should have a direct reporting line to the board or audit committee. Provision should also be made for how to deal with disclosures naming members of the board or the designated senior manager responsible for handling whistle­blowing reports. Even, dispassionate investigation

Not every disclosure or whistleblowing report will justify the expenditure of time and resources on comprehensive internal investigations or involve reports to authorities. It is clearly important to guard against complacency or undue cynicism when evaluating issues, or reports by whistleblowers. Level-headedness and even-handedness pay dividends. Allegations should be viewed dispassionately and, where possible, empirically tested by reference to readily available documents, or by means of interviews with relevant individuals (who should be apprised of the importance of confidentiality). Clear protocol and structure

Where initial enquiries show disclosures or allegations to be well founded, firms’ responses should be guided by clear protocols setting out the circumstances in which external legal counsel should be instructed (advisable at an early stage to preserve any applicable privilege), how and when other external specialist resources (such as forensic IT consultants or accountants) may be required and instructed, and how such selection and instruction should occur (ideally by legal counsel, again to maintain privilege as far as possible).

Appropriate senior individuals within the firm’s human resources function should be involved in coordinating the approach to the whistleblower (if there is one) and dealing with any disciplinary action. The United Kingdom’s whistleblowing legislation and the related FCA and PRA whistleblowing rules required some regulated firms to enhance their existing whistleblowing procedures, including by appointing a whistleblowers’ champion. Senior management involvement

Once the firm’s senior management is notified of serious issues or allegations being made in a whistleblowing report, it is paramount to keep them apprised of the progress of enquiries. If evidence emerges that appears to substantiate the concerns, the window for firms to receive maximum credit for self-reporting to appropriate authorities is relatively short.

3.8.2 Once the decision has been made

Once firms decide to make a report to authorities, the main challenges facing them are to demonstrate that any self-report (1) has been made in a timely fashion, (2) has been made genuinely voluntarily (i.e., not simply because public disclosure or a regulatory or criminal investigation is imminent) and (3) contains enough information to enable the authority to make a meaningful and informed assessment as to how to proceed.

A firm should aim to be the first to self-report to maximise credit. Generally, authorities will acknowledge that internal investigations into complex matters occurring many years before can take time and give credit for initial notifications based on the discovery of certain key facts, with an indication that a fuller report will follow more thorough investigation. Documenting the decision

Regardless of whether the decision is to report or not, it is important for the firm’s board to ensure that the issue or allegation is investigated, properly considered with appropriate advice and properly documented. The board must also ensure that appropriate remediation steps are taken, not only to mitigate the risks of criminal, regulatory and civil action, but also to demonstrate the firm’s cultural responsiveness and change.

Caution is required in documenting the steps taken in reaching their decisions, not only to preserve privilege as far as possible but also with regard to the likelihood of such documentation subsequently becoming subject to external scrutiny or publicity, which is particularly likely for public companies. Nature of approach to the authorities

Self-reports to authorities are not generally made in a set format but instead usually take the form of a preliminary notification (typically verbal) soon after receiving notice of potential wrongdoing with a more detailed written or oral report after further investigation. The nature and scope of disclosures to authorities vary significantly between, and often within, jurisdictions and may depend on whether the issues cross borders. Specifically, whether it is possible to preserve any applicable privileges by providing reports orally rather than in writing will depend on the circumstances. Timing of a self-report

The SFO requires self-reporting to be made ‘within a reasonable time’ after the firm becoming aware of the issue, and certainly before the SFO becomes aware of it by some other means, or the firm is threatened with investigation or action by other bodies or authorities, or with leaks or exposure in the press.

Beyond potentially impacting the prospects of a DPA, the timing of a self-report will also have a bearing on the decision to prosecute and the level of any potential penalties.

When DPAs were first introduced, the SFO suggested that negotiated settlements would be unlikely where firms had not notified it immediately upon learning of alleged wrongdoing. However, it is increasingly evident that the SFO’s expectations as regards timing have become more realistic over time.

3.8.3 Managing other regulators

Whatever format they use to report matters to authorities, firms and their advisers should assume that information provided to one enforcement authority will be passed to others, and that referrals may be made where authorities have parallel jurisdiction over some or all aspects of the firm’s activities. In cases where the SFO does not prosecute a self-reporting firm, the SFO reserves the right to prosecute for any unreported violations of the law, and may provide information on the reported violation to other bodies (such as foreign police forces or authorities) through the relevant gateway.

The above notwithstanding, firms should not assume that disclosure to one authority necessarily means that other relevant authorities are aware of the matter – full assessments must be made as to whether it is necessary or appropriate to make separate notifications to other specific authorities (whether in the same jurisdiction or elsewhere), who might expect to be told of the alleged misconduct or of the fact of other investigations by or at the behest of enforcement authorities.


[1] Judith Seddon is a partner and Andris Ivanovs is an associate at Dechert LLP.

[2] In the first speech of former Director of the Serious Fraud Office (SFO), Lisa Osofsky, she referred to how the ‘increasingly multi-jurisdictional and complex’ nature of SFO cases makes cooperation to achieve global settlements all the more important. She said that ‘[s]trengthening and deepening the relationships that make this happen is going to be a major focus for me’ and listed the newcomer countries to deferred prosecution agreements (DPAs) as part of that focus. (Lisa Osofsky, former SFO Director, speech at the Cambridge International Symposium on Economic Crime 2018, Jesus College, Cambridge (3 Sept. 2018), Cooperation continues to be central to the SFO’s strategy, and Lisa Osofsky regularly noted it as a priority. Four years on, in 2022, she noted: ‘We have . . . intensified and broadened the SFO’s international collaboration and reach. You’ll struggle to find any major corruption or fraud case that doesn’t cross international borders. So stepping up our work with partners has been a cornerstone of many of our successes in my time as Director’. She continued that the strategy for the SFO for 2022–2025 was to ‘continue to develop this outward-facing, team working culture to developing and sustaining our relationships with partner agencies across the globe’. (Lisa Osofsky, 5 Sept. 2022,

[3] Companies Act 2006, s.172.

[4] For example, in the Corporate Co-operation Guidance, the SFO has set out certain indicators of good practice that it would expect to see in a cooperating corporate, including that an organisation should ‘[n]otify the SFO of any other government agencies, domestic or foreign, law enforcement or regulatory) by whom the organisation has been contacted or to whom it has reported’, SFO Operational Handbook, Corporate Co-operation Guidance, (Corporate Co-operation Guidance), at p. 4.

[5] Serious Fraud Office v. Amec Foster Wheeler Energy Limited, unreported (25 June 2021). The DPA was approved in principle by Lord Justice Edis at a private hearing at the Royal Courts of Justice on 25 June 2021. Edis LJ’s judgment was published on the SFO website on 1 July 2021, For the first time, the DPA and judgment bear a heading, making it clear that each document relates solely to the culpability of Amec Foster Wheeler Energy Limited (AFWEL) and not to that of any individual in respect of whom the court did not make any findings of fact.

[6] ibid., at para. 26.

[7] ibid., at para. 19.

[8] ibid., at para. 20.

[9] ibid., at para. 23.

[10] ibid., at para. 24.

[11] ibid., at paras. 23–25.

[12] ibid., at paras. 23–25 and 29.

[13] ibid., at para. 35.

[14] ibid., at para. 35. Edis LJ also noted that this aligned with the overriding objective in Criminal Procedure Rule 1.1 (i.e., that cases be dealt with justly, efficiently and expeditiously).

[15] Serious Fraud Office v. (1) Bluu Solutions Limited and (2) Tetris-Projects Limited [2023] EWHC 1976 (KB), at para. 76(xi).

[16] Crown Prosecution Service v. Entain plc (Case No. U20231779), Approved Summary of Judgment.

[17] The Proceeds of Crime Act (POCA), ss.330 and 331. On 2 June 2021, the Crown Prosecution Service (CPS) updated its guidance on prosecuting ‘failure to report’ cases under s.330 POCA. Before, the CPS did not charge ‘failure to report’ offences where there was insufficient evidence to establish that money laundering was in fact planned or undertaken. The updated guidance now states that it is possible for the CPS to charge a person under s.330 POCA as a stand-alone charge, even where there is insufficient evidence to establish that money laundering was planned or has taken place. By contrast, the substantive money laundering offences (ss.327–29 POCA) require a predicate offence (‘criminal conduct’) and the offender to know or suspect that the property represents a benefit from that criminal conduct. Given that the bar for suspicion is very low in relation to s.330 POCA, and that it is seldom clear whether money laundering is in fact occurring when the reporting obligation arises, a possible unintended consequence of this update will be a further increase in the filing of ‘defensive SARs’. See CPS: Prosecution Guidance in relation to Money Laundering Offences (last updated 2 June 2021),

[18] A firm will be a ‘relevant person’ if it falls within the definitions of the following in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLTF Regulations): (1) credit institutions; (2) financial institutions; (3) auditors, insolvency practitioners, external accountants and tax advisers; (4) independent legal professionals; (5) trust or company service providers; (6) estate agents; (7) high value dealers; and (8) casinos. MLTF Regulations, regulation 8.

[19] MLTF Regulations, regulations 19 and 20.

[20] POCA, ss.335 and 336.

[21] Terrorism Act 2000, s.21A (duty for the regulated sector), s.19 (duty outside the regulated sector) and s.21ZA (consent).

[22] Counter-Terrorism Act 2008, Schedule 7, para. 12, and Terrorist Asset Freezing Act 2010, s.19.

[23] National Crime Agency (NCA), SARs Annual Report 2022, (NCA 2022 SARS Report).

[25] NCA 2022 SARS Report.

[26] Financial Action Task Force Mutual Evaluation Report, ‘Anti-money laundering and counter-terrorist financing measures in the United Kingdom’ (1 Dec. 2018), The Report found that, inter alia, ‘the SAR regime requires a significant overhaul to improve the quality of financial intelligence available to the competent authorities’, at p. 4.

[27] Law Commission, ‘Anti-Money Laundering: The SARs Regime Report’, Law Com No. 384 (June 2019), The Law Commission recommended legal reforms, noting that many SARs were of ‘low intelligence value and poor quality’, at p. 93.

[28] As set out in Actions 30–32. Policy Paper, ‘Economic Crime Plan 2019-22’ (12 July 2019),

[29] Economic Crime Plan 2023-2026, at para. 2.24, _Crime_Plan_2_v6_Web.pdf. The Economic Crime and Corporate Transparency Act 2023 expands the types of cases in which businesses can deal with clients’ property, without first having to submit a defence against money laundering (DAML) SAR, by introducing two exemptions at ss.182 and 183, with a view to reducing those likely to be of minimal value from an intelligence perspective, as well as reducing the burden on reporters. S.182 introduces a new monetary value threshold for exiting a relationship with a customer and paying funds or property back to that customer, where the value is under £1,000. This means that transactions under the £1,000 threshold related to terminating a customer relationship would not require a DAML. S.183 introduces an exemption for businesses to deal with the non-suspect elements of the property only, without filing a DAML, while retaining the criminal property.

[30] See Actions 10 and 11.

[31] Serious Fraud Office v. Standard Bank plc (Case No. U20150854) [2016] Lloyd’s Rep FC 102.

[33] Firms’ reporting obligations under the financial sanctions regime are set out in the relevant UK regulations for each financial sanctions regime, and in Chapter 3 of the Terrorist Asset-Freezing etc. Act 2010. The FCA has also clarified that it expects regulated firms to report suspected dealings with sanctions targets or suspected financial sanctions breaches to it under Principle 11 (or SUP15 of the FCA Handbook (or both)).

[34] Office for Financial Sanctions Implementation (OFSI), ‘OFSI enforcement and monetary penalties for breaches of financial sanctions: Guidance’ (Aug. 2023),

[35] ibid., and paras. 3.40 and 4.8–4.9.

[37] OFSI, ‘Imposition of Monetary Penalty – Clear Junction Limited’ (21 Feb. 2022),, at para 11.

[39] OFSI, ‘Publication of a Report – Wise Payments Limited’ (31 Aug. 2023),, at para. 22. Pursuant to the Economic Crime (Transparency and Enforcement) Act 2022, as of June 2022, OFSI has a new ‘name and shame’ civil enforcement power, allowing it to publicly identify that a person has breached financial sanctions without imposing a monetary penalty.

[40] FCA, ‘Annual Report and Accounts 2020/21’,

[41] Principles for Businesses, PRIN 2.1.1 R, Principle 11 (Relations with regulators).

[42] For example, in 2015, the FCA fined The Bank of Beirut (UK) Ltd (Bank of Beirut) £2.1 million, prevented it from acquiring new customers from high-risk jurisdictions for 126 days and fined two approved persons at the bank. The FCA noted that Bank of Beirut had also repeatedly provided the FCA with misleading information after it was required to address concerns regarding its financial crime systems and controls, including by indicating that it had completed remedial actions when it had not.

[43] Recent examples: In December 2020, Charles Schwab UK Limited was fined £8.96 million for failing to adequately protect client assets, carrying out a regulated activity without permission and making a false statement to the FCA in breach of Principle 11. The final notice is available at In June 2019, the FCA fined Bank of Scotland £45.5 million for failing to disclose suspicions that fraud may have taken place within part of its corporate lending operations. The final notice is available at In 2018, Santander was fined £32.8 million for, among other things, failing to disclose information relating to certain issues with the probate and bereavement process to the FCA. The final notice is available at

[44] FCA Handbook, LR 7.2.1 R, Listing Principle 2.

[45] By way of example, the FCA did not impose a financial penalty on Tesco plc or Tesco Stores in early 2017 for engaging in market abuse, partly because Tesco Stores had entered into a DPA with the SFO, pursuant to which it would pay £129 million. The FCA explained that it had also taken into account ‘the exemplary co-operative approach’ taken by Tesco plc and Tesco Stores with both the FCA and the SFO. See the FCA final notice,

[46] FCA Press Release, ‘FCA starts criminal proceedings against NatWest Plc’ (16 Mar. 2021),

[47] For example, in June 2020, the FCA fined Commerzbank London £37.8 million for inadequate anti-money laundering systems and controls (final notice is available at In January 2021, HM Revenue and Customs (HMRC) fined MT Global Limited a record £23.8 million for breaches of the Money Laundering Regulations 2017, although this is under appeal at the time of writing (press release is available at In April 2021, HMRC announced that Irfan Ltd (MSB) had been fined £4.4 million for breaches of the Money Laundering Regulations, which has not been appealed (

[48] This is particularly so given the appointment (with effect from 21 June 2023) of Steve Smart, as co-head, together with Therese Chambers, of the FCA’s Enforcement Division. Smart comes from the NCA, where he was director of intelligence.

[49] R v. National Westminster Bank Plc, Sentencing Remarks (13 Dec. 2021),

[50] ibid., para 123.

[52] The joint guidance issued by the Director of Public Prosecutions, the Director of the SFO and the Director of the Revenue and Customs Prosecutions Office Guidance on Corporate Prosecutions,

[53] Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions (30 Mar. 2011),

[54] It does not create any legally enforceable rights, expectations or liabilities.

[55] Corporate Compliance Guidance, published April 2020, It does not create any legally enforceable rights, expectations or liabilities.

[56] Guidance on Deferred Prosecution Agreements, published October 2020, It does not create any legally enforceable rights, expectations or liabilities.

[57] Lisa Osofsky, SFO Director, speech at the Cambridge International Symposium on Economic Crime 2019, Jesus College, Cambridge (2 Sept. 2019),

[58] Guidance on Corporate Prosecutions, para. 32 (‘Additional public interest factors against prosecution’).

[59] SFO’s statement of policy and revised guidance on corporate self-reporting (Oct. 2012).

[60] R v. Skansen Interiors Limited, unreported.

[61] See the Attorney General’s Guidance for prosecutors and investigators on their asset recovery powers under s.2A POCA,

[62] In Scotland, where DPAs are not available, this remains the only available means of concluding bribery and fraud investigations concerning corporate organisations short of prosecution.

[63] Para. 2.8.2(i).

[64] See, for example, R v. Skansen Interiors Limited, unreported. The SFO may be more inclined to pursue a DPA, particularly in circumstances where parent entities are willing to pay fines or provide appropriate undertakings, as indicated by the three DPAs agreed with the SFO in July 2021 (i.e., the AFWEL, Bluu Solutions Limited and Tetris Projects Limited DPAs).

[65] ibid.

[67] Guidance on Corporate Prosecutions, p. 8.

[68] Serious Fraud Office v. XYZ Limited (now known to be Sarclad Ltd) (Case No. U20150856) [2016] 7 WLUK 220; [2016] Lloyd’s Rep FC 509.

[69] Corporate Co-operation Guidance, at p. 1.

[70] As part of the SFO’s Operational Handbook, it expressly states that it does not create legally enforceable rights, expectations or liabilities.

[71] Deferred Prosecution Agreements Code of Practice (DPA Code), para. 2.8.2.

[72] DPA Code, para. 2.8.1(v): ‘Failure to notify the wrongdoing within a reasonable time of the offending conduct coming to light.’

[73] Corporate Co-operation Guidance, at p. 1 (‘Co-operation means . . . reporting [suspected wrongdoing] to the SFO within a reasonable time of the suspicions coming to light.’).

[74] The DPA Code used the word ‘notified’ in this context, which replaced the word ‘reported’ in the original draft of the DPA Code. Although (perhaps because it was not the subject of a consultation exercise before its publication in August 2019) the same distinction between ‘reporting’ and ‘notifying’ is not drawn in the Corporate Co-operation Guidance, the message prosecutors are seeking to convey is the same. The DPA Guidance uses the verb ‘notify’.

[75] DPA Code, para. 2.9.2; Corporate Co-operation Guidance, at p. 4: ‘To avoid prejudice to the investigation, consult in a timely way with the SFO before interviewing potential witnesses or suspects, taking personnel/HR actions or taking other overt steps.’

[76] SFO Operational Handbook, DPA Guidance, ‘Self-Reporting’ section.

[77] As noted in the Corporate Co-operation Guidance: ‘Each case will turn on its own facts. In discussing co-operation with an organisation, the SFO will make clear that the nature and extent of the organisation’s co-operation is one of many factors that the SFO will take into consideration when determining an appropriate resolution to its investigation.’ ibid., p. 1.

[78] Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc. (Case No. U20170036) [2017] Lloyd’s Rep FC 249, paras. 21 and 22.

[79] Serious Fraud Office v. Airbus SE [2020] 1 WLUK 435.

[80] Serious Fraud Office v. Amec Foster Wheeler Energy Limited (unreported) (1 July 2021), at para. 20.

[81] ibid., at paras. 18, 20 and 35.

[82] Serious Fraud Office v. (1) Bluu Solutions Limited and (2) Tetris-Projects Limited [2023] EWHC 1976 (KB), para. 83.

[83] Serious Fraud Office v. G4S Care and Justice (UK) Limited [2020] 7 WLUK 303.

[84] ibid., at para. 72.

[85] Serious Fraud Office v. Airbus SE [2020] 1 WLUK 435 at para. 69.

[86] ibid., at para. 68.

[87] Serious Fraud Office v. Airline Services Limited (Case No. U20201913, Oct. 2020),, at para. 72.

[88] Serious Fraud Office v. (1) Bluu Solutions Limited and (2) Tetris-Projects Limited [2023] EWHC 1976 (KB), at para. 72(13).

[90] Sentencing Council’s Definitive Guideline ‘Corporate Offenders: Fraud, Bribery and Money Laundering’,

[91] A culture of wilful disregard for the commission of offences will lead to a corporate being placed at the most culpable end of the spectrum and facing the heaviest fines.

[92] Crime and Courts Act 2013, Schedule 17, para. 5(4).

[93] Open Letter to the Director of the Serious Fraud Office, ‘Strengthening the UK’s Deferred Prosecution Agreement Regime’,

[94] FCA Handbook, PRIN 2.1.1 R. An equivalent obligation to notify the PRA is set out in Fundamental Rule 7.

[95] Senior Manager Conduct Rule 4 is set out in the FCA Handbook at COCON 2.2.4 R.

[96] FCA Handbook, DEPP 6.2.1(2)(a).

[97] ibid., DEPP 6.5A.3(2)(a).

[99] FCA Handbook, SYSC 6.1.1R.

[100] In the United Kingdom, court approval is required for a DPA, which means that even if the SFO recommends a DPA after extensive cooperation, the court may reject it.

[101] Soma Oil & Gas Limited v. Director of the Serious Fraud Office [2016] EWHC 2471 (Admin).

[102] See the US Department of Justice’s expression of gratitude to the SFO for its assistance in its press release, March 2010,

[103] United States v. Allen, 864 F.3d 64 (2d Cir. 2017), reh’g en banc denied, No. 16-898 (2d Cir. 9 Nov. 2017).

[104] For example, the SFO may compel a person to attend an interview with SFO staff to answer questions or otherwise furnish information pursuant to s.2 of the Criminal Justice Act 1987. Similarly, pursuant to s.171 of the Financial Services and Markets Act 2000, the FCA may require persons under investigation to attend an interview with an investigator to answer questions, or otherwise provide information as requested. Other enforcement agencies, including HMRC, the Competition and Markets Authority and the NCA have similar powers to compel information under various statutes. Suspects in criminal investigations must be interviewed under caution pursuant to the Police and Criminal Evidence Act.

[106] Director of the Serious Fraud Office v. Eurasian Natural Resources Limited (Law Society intervening) [2018] EWCA Civ 2006.

[107] Omers Administration Corporation and others v. Tesco plc [2019] EWHC 109 (Ch).

[108] Corporate Co-operation Guidance, p. 1 at note 5, citing The Director of the Serious Fraud Office v. ENRC [2018] EWCA Civ 2006 at para. 117.

[109] Sir David Green QC, then SFO Director, speech at GIR Roundtable Discussion on Corporate Internal Investigations, 27 July 2015.

[110] Serious Fraud Office v. (1) Bluu Solutions Limited and (2) Tetris-Projects Limited [2023] EWHC 1976 (KB), at para. 72(8).

[111] DPA Code, para. 7.10(iii).

[112] ibid., paras. 7.11–7.22.

[113] For example, the civil recovery orders between the SFO and Balfour Beatty plc in October 2008, Macmillan Publishers Ltd in July 2011 and Oxford Publishing Ltd in July 2012.

[114] For example, in relation to Mabey & Johnson in September 2009, as well as Innospec Ltd in March 2010, see and, respectively.

Unlock unlimited access to all Global Investigations Review content