United Kingdom: Anti-corruption Enforcement and Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Anti-corruption investigations and enforcement actions in the United Kingdom have continued to gather pace over the past 12 months. The commencement and pursuit of numerous high-profile investigations and prosecutions by the Serious Fraud Office (SFO), as well as the UK’s other investigative, regulatory and prosecutorial bodies, coupled with the cementing of deferred prosecution agreements (DPAs) in the centre of the United Kingdom’s enforcement landscape, have continued to lend weight to the argument that the UK is now at the forefront of the global anti-corruption movement. This perception has been assisted by the strengthening of the UK’s statutory anti-corruption framework and recent landmark judicial developments in respect of the availability of legal professional privilege (LPP) in an investigative context. This chapter explores the current trends and developments in anti-corruption enforcement and investigations and offers insight on the likely direction of travel for the UK’s enforcement agencies in 2018.

Deferred prosecution agreements and the SFO’s priorities

The inexorable rise of the DPA

By some distance, the most significant recent development in the UK anti-corruption enforcement and investigation arena has been the introduction of DPAs, in February 2014, and the concomitant eagerness of the SFO to make use of them. Since their introduction, the SFO has entered four DPAs1 while securing convictions against only three companies during the same period.2 Though by no means a reliable sample, this potentially sees the start of a trend for the lion’s share of corporate wrongdoing to be resolved by way of a DPA rather than prosecution in the coming months and years.

DPAs benefit both parties to the agreement. The respondent company avoids the stigma and potentially fatal commercial ramifications of a prosecution and possible conviction and the applicant SFO can allocate the time, money and resources that would otherwise be spent pursuing a prosecution to other cases. At face value, DPAs are also a boon for the taxpayer, with the Rolls-Royce resolution providing a £497.25 million injection to UK Treasury coffers. Others are more circumspect about the SFO’s current favourite toy. Critics worry that DPAs will become an accepted ‘cost of doing business’ for many large businesses and remain cautious about their impact, pending the outcome of related individual prosecutions (see below for further detail). Recent judicial criticism of the SFO’s conduct when negotiating the DPA ultimately entered with XYZ3 only adds to these doubts. In a judicial review hearing, two High Court judges declared that the SFO ‘committed a series of public law errors’ in failing to demand written internal interview summaries from XYZ before making an offer of a DPA. Such criticism has the potential to undermine DPAs as an effective means of resolving allegations of corporate misconduct.

To self-report or not to self-report

Corporate cooperation is fundamental to the UK’s DPA regime. Prior to January 2017, it was accepted that cooperation necessarily involved self-reporting wrongdoing otherwise unknown to the SFO, per the DPA Code of Conduct and the DPAs concluded with Standard Bank and XYZ respectively. Following the Rolls-Royce DPA, however, where the company successfully negotiated a DPA despite failing to self-report, this no longer appears axiomatic.

By contrast, in the 2018 prosecution of Skansen Interiors Limited, the company did self-report after misconduct was discovered internally following a change in management, but the Crown Prosecution Service (CPS) chose not to offer Skansen a DPA, albeit that the company had barely a skeleton compliance framework in place (see below for further details).

While these two cases may simply indicate differing approaches at the SFO and CPS, they perhaps also suggest that self-reporting is neither necessary nor sufficient for a company hoping to be invited to negotiate a DPA. Self-reporting remains merely one factor, albeit an important one, that will continue to evidencing the sufficiency of a company’s cooperation.

Rolls-Royce’s failure to self-report was mitigated by cooperation recognised by both the SFO and presiding judge Sir Brian Leveson as ‘extraordinary’.4 Such cooperation included deferring internal interviews until the SFO had first conducted its own interviews; disclosure of all interview memoranda despite the company’s belief that disclosure could otherwise be resisted on the basis of claims to LPP; and providing all material requested by the SFO voluntarily, without requiring recourse to compulsory powers.5

Each case will be decided on its facts and, notwithstanding the agreement concluded with Rolls-Royce, it is anticipated that successful DPA negotiations will be rare where the company does not self-report.

Size matters

One remarkable feature of the different approaches taken by UK prosecutors in the Rolls-Royce and Skansen corporate criminal resolutions is the impact the companies’ relative size had upon the outcome. The Rolls-Royce judgment makes clear that the courts will take into consideration the commercial impact of a conviction on the company and its supply chain.6 The unavoidable inference is that larger companies, particularly those of national economic significance, appear less likely to face prosecution than smaller companies against which similar allegations are made.

Skansen illustrates the inequity that smaller companies face when seeking to avoid prosecution. In that case, the CPS pursued a prosecution even though the company, which employed 30 people, was dormant and an absolute discharge was the only possible outcome following a successful prosecution. Such facts make it difficult to see how the prosecution could have been in the public interest. The worrying conclusion, from an equal justice perspective, appears to be that prosecutors are more likely to pursue prosecutions where the company is smaller and the allegations less complex.

Failure to prevent – failure to explain

Skansen is significant as it was the first contested prosecution of a company for failing to prevent bribery under section 7 of the Bribery Act 2010. The company put forward the statutory ‘adequate procedures’ defence, arguing that its compliance procedures were adequate for a company with a narrow geographical reach and only 30 employees. The jury rejected this. Given the scale of the case, however, and the limited procedures the company had in place to prevent persons associated with it from paying bribes, the jury’s decision does not advance our understanding of how adequacy may be assessed for a large multinational company. And in any event, it may be a fool’s errand to hope to derive reliable guidance on how to assess the adequacy of a company’s procedures from cases before the Crown Court, given that the determination of adequacy is a question of fact, to be decided by the jury on a case-by-case basis.

Individuals in the line of fire

The UK’s DPA regime expressly acknowledges that when a company self-reports wrongdoing, it will have been incriminated by the actions of individuals and that it will ordinarily be appropriate that those individuals be investigated and prosecuted. The SFO is currently pursuing prosecutions against individuals following the XYZ and Tesco Stores Limited (Tesco) DPAs and one of the terms of the Rolls-Royce DPA is that the company cooperates with any future prosecution of individuals.

The adverse impact of concluded DPAs on the fairness of subsequent trials of related individuals is an interesting issue and one that has yet to be explored. Although individuals linked to misconduct in concluded DPAs remain anonymous, it could be argued that the pretrial publicity of a concluded DPA has the potential to prejudice the prosecution of individuals such as to render a fair trial impossible and give rise to an abuse of process argument, potentially derailing any prosecution.

Irrespective of the threat of potential abuse arguments being brought, the SFO will be eager to rectify its current failure (as at the time of writing) to successfully prosecute any individuals on the back of the four concluded DPAs.

SFO chases fraud convictions

Anti-corruption aside, fraud investigations and prosecutions have been a key area of focus for the SFO throughout 2017, with several investigations culminating in high-profile trials. In November 2017, the trial of three defendants for alleged fraud offences opened on the back of the Tesco DPA entered in April 2017. Although the trial was brought to an untimely halt in February 2018 due to the ill-health of one of the defendants, the original prosecution, and the SFO’s pursuit of a retrial (set for September 2018), underline the SFO’s desire to hold individuals accountable for dishonest conduct, notwithstanding the imposition of a hefty fine on the corporate entity.

In a similar vein, the SFO’s long-running Euribor-rigging investigation is approaching its end after the first trial of five traders accused of conspiracy to defraud by rigging the benchmark opened in April 2018 (having originally been scheduled for 2017). David Green QC, the outgoing director of the SFO, previously publicly acknowledged that the outcome of the SFO’s Libor and Euribor investigations were likely to be a defining characteristic of his tenure. After nearly six years of investigation (that have been dogged with problems – notably, the SFO originally charged 11 traders but extradition requests were refused by France and Germany) into conduct dating as far back as 2005, the fact that these individuals are finally being tried evidences some tenacity on the part of the SFO.

A new direction at the SFO?

At the time of writing, the SFO is in a state of flux. Former chief operating officer Mark Thompson has been appointed as interim director following Green’s departure. Green’s tenure was characterised by a focus on negotiated settlements and it will be interesting to observe whether a change in leadership presages a change in direction. In the meantime, uncertainty may create a hiatus in reaching charging decisions and opening new investigations.

Landmark LPP rulings

The ability of companies conducting internal investigations to properly claim the protections of LPP over communications generated as part of their investigation is an area that has been the subject of much focus over the past year. Several judgments concerning the application of litigation privilege to both criminal and civil internal investigations have created uncertainty over the circumstances in which LPP can be legitimately claimed and attracted significant criticism. Given the huge potential for these decisions to fundamentally alter the way in which internal investigations are conducted, it is hoped that we will gain some much-needed judicial clarity in this area in the coming months.

Director of the SFO v Eurasian Natural Resources Corporation Limited

In May 2017, in the first instance English High Court decision of Director of the SFO v Eurasian Natural Resources Corporation Limited (SFO v ENRC),7 the SFO successfully challenged ENRC’s claims to LPP over documents produced by lawyers (including witness interview notes) and other professional advisers during an internal investigation into allegations of bribery and corruption prompted by a whistleblower report. ENRC claimed litigation privilege in respect of the documents, asserting that they had been created in contemplation of anticipated litigation, ie, an anticipated criminal investigation by the SFO.

Mr Justice Andrews, while accepting that the company reasonably contemplated a criminal investigation by the SFO, found that this did not amount to anticipation of adversarial litigation for the purposes of litigation privilege, noting that: ‘The reasonable contemplation of a criminal investigation does not necessarily equate to the reasonable contemplation of a prosecution.’8 In particular, the court observed that ENRC always planned to cooperate with the SFO and that, in any case, it did not uncover evidence to suggest that the allegations had any merit. It therefore could not possibly have reasonably contemplated criminal proceedings, and litigation privilege did not attach to the documents in question.

The decision has the potential to substantially erode the protection afforded to documents created as part of an internal investigation and has unquestionably made the establishing of anticipation of litigation in a criminal context more difficult. It has also created uncertainty across the investigations landscape, particularly in foreign jurisdictions where lawyers are now unclear as to the LPP protections that may or may not be available in the United Kingdom. Companies and their legal advisers now need to think very carefully about how internal investigations are structured, considering not only how any fact-finding should be conducted, but if and how any such findings should be recorded and at what point they can properly be said to reach the new higher threshold for the contemplation of litigation.

ENRC has been granted leave to appeal the decision to the Court of Appeal, which is expected to be heard in July 2018. It is hoped that the aspects of the decision described above will be reconsidered at appellate level and that the Court of Appeal will provide some much-needed clarity and certainty. In the meantime, the Court of Appeal’s Criminal Division approved SFO v ENRC in the case of R (for and on behalf of the Healthy and Safety Executive) v Jukes,9 ruling that a statement made by an employee to his employer’s solicitors during an investigation into a health and safety incident did not attract litigation privilege because, at the time of the statement, the matter was still at an ‘investigatory stage’ and the Health and Safety Executive had not made a decision to prosecute.

Bilta (UK) Ltd (in liquidation) and others v RBS plc and another

The High Court case of Bilta (UK) Ltd (in liquidation) and others v RBS plc and another (Bilta v RBS)10 offered a helpful clarification of the law surrounding litigation privilege in the context of an internal investigation, following the ruling in SFO v ENRC.

Bilta v RBS concerned documents created during an internal investigation conducted by RBS prompted by a letter from HM Revenue and Customs (HMRC) alleging that there may be grounds to deny RBS’ VAT claim in relation to certain historical trades, the disclosure of which Bilta requested as part of ongoing (separate) litigation with RBS. Bilta, relying on SFO v ENRC, argued that such documents could not attract litigation privilege because they were not prepared for the dominant purpose of litigation with HMRC. Lord Justice Vos took a different view, ruling that the documents were prepared for the dominant purpose of litigation, ie, defeating an expected VAT assessment by HMRC, and therefore attracted litigation privilege.

While this decision appears to run counter to the assessment in SFO v ENRC, there are two important distinctions to be made. First, Bilta v RBS concerned a civil and not a criminal investigation. Second, the decision highlights the fact that an assessment of whether documents are created for the dominant purpose of litigation will always be fact-specific. While this decision may provide partial refuge against the uncertainty created by SFO v ENRC, the precise ambit of litigation privilege and its application to internal investigations will remain in a state of uncertainty at least until the Court of Appeal rules in SFO v ENRC in July 2018.

GDPR adjusts investigation and enforcement priorities

The EU General Data Protection Regulation (GDPR) will become directly applicable in the United Kingdom from 25 May 2018. Its introduction has garnered significant press attention and triggered concerns about the burden imposed on companies racing to be compliant with the new regulation. In reality, the changes that will be wrought by the GDPR are likely to be less dramatic in the context of anti-corruption investigations than many commentators have suggested.

From an enforcement perspective, the most significant change will be the scale of the fines available to the Information Commissioner’s Office (ICO). Under the Data Protection Act 1998, the largest fine available to the ICO is £500,000. Under the GDPR, the most serious offences could result in a fine of up to €20 million or four per cent of a firm’s global turnover, whichever is greater.

It is not anticipated that this increase in enforcement sanction power will directly translate into proportionately higher fines, however. The deputy commissioner of the ICO, James Dipple-Johnstone, has said: ‘If a £25,000 fine is sufficient now, it is highly likely that will be sufficient under the GDPR.’11 That said, the ICO’s increased powers will cause companies to think twice when complying with information requests from abroad, particularly the United States. Currently, the consequences for failure to comply with such a request can far outweigh the risk that compliance may be in breach of data protection rules. Facing a heftier fining regime, companies will have to act with greater caution when complying with overseas requests.

The GDPR will also impact the approach taken by companies when responding to an external government-led investigation or conducting its own internal investigation. Consent for the sharing of data under the GDPR, which extends to a recording of a witness interview, must be unambiguous, explicit, freely given and can be withdrawn at any time. This strengthened individual right will create difficulties for companies wishing to cooperate with an external investigation where the provision of recorded interviews may be a vital aspect of cooperation and will necessarily involve companies and their advisers walking a difficult path between the legitimate interests of the company and the fundamental rights of the individual.

Cybercrime: a tangled web

Published in April 2017, the UK Government’s ‘Cyber Security Breaches Survey 2017’ revealed that in the preceding 12 months almost 70 per cent of all large businesses identified an attack.

Facing potentially severe financial penalties under the GDPR, companies will need to ensure they comply with the regulation and take proportionate measures to guard against data breaches. In January 2018, the ICO issued a £400,000 fine to Carphone Warehouse following a cyberattack against the company that involved unauthorised access to the personal data of over 3 million people and 1,000 employees. Had the breaches occurred after the GDPR had come into force, the fine may have been significantly higher.

After the ICO was made to wait four days to obtain a warrant to search the offices of Cambridge Analytica in the wake of data misuse allegations, the government will seek to gain cross-party support to give the ICO enhanced investigatory powers, including allowing it to carry out on-site inspections without notice. The ICO is currently investigating 30 companies to assess the use of personal data during political campaigns.

The Financial Conduct Authority cleans up its act on money laundering

In the past year, the UK Financial Conduct Authority (FCA) has been on a concerted push to tackle money laundering. It has increased the resources dedicated to detecting and investigating suspected money laundering, and took substantial action against Deutsche Bank in January 2017 – imposing a fine of £163 million for failure to maintain an adequate anti-money laundering control framework between 2012 and 2015. This is in response to criticism the FCA has received in recent years, having been accused of adopting a light touch regulatory approach to combating money laundering, particularly in relation to holding individuals accountable for their alleged involvement with illicit funds.

Of note is the FCA’s increased oversight of self-regulated professional bodies who have regulatory responsibilities for identifying and mitigating financial crime and money laundering risk within their respective professions. The launch of the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) in January 2018, granting the FCA oversight of the Law Society and the Bar Council, among other bodies, received substantial criticism though the FCA has emphasised that it does not intend to micromanage professional associations and that the process of oversight will be collaborative.

Unexplained wealth orders introduced

The introduction of unexplained wealth orders (UWOs) by the Criminal Finances Act 2017 (CFA) on 31 January 2018 represented the addition of an innovative High Court-issued civil information gathering weapon to the enforcement arsenal in the fight against tax evasion and money laundering. UWOs can be sought by investigative as well as prosecutorial agencies, including the SFO, FCA and NCA, and require individuals who are reasonably suspected of involvement in, or of being connected to a person involved in, serious crime, to account for the nature and extent of their interest in particular property where there are reasonable grounds to suspect that the respondent’s known lawfully obtained income would be insufficient to allow the individual to obtain the property. An interim freezing order can be obtained at the same time as a UWO to prevent the relevant property being dealt with in any way. The granting of the first two UWOs was announced in February 2018, relating to property worth £22 million.

Although it is currently unclear how widely UWOs will be used, they represent a powerful tool in the law enforcement arsenal. There is no requirement for any criminal proceedings to have been instituted against the relevant individual or to prove that the property in question was generated by the alleged crime prior to the High Court granting a UWO, and the burden falls on the individual to justify the source of their wealth.

Other enforcement agency trends

Much of this chapter has focused on developments at the SFO. There are also interesting times ahead for the UK’s other primary anti-corruption investigation and prosecutorial agencies.


The FCA’s recent approach to investigation and enforcement has been more expansive than in previous years. It has sought to embed the approach suggested by Andrew Green QC’s 2015 report into the FCA’s response to the collapse of HBOS. Particularly in relation to individual executives, the FCA is casting a wider net when opening investigations, using its powers as a diagnostic tool where known facts are far from conclusive.

Historically, FCA investigations may only have been opened in cases where the existing evidence established a strong case of misconduct and where the launching of an investigation almost inevitably prefaced subsequent enforcement action. Today, however, we are seeing far more investigations opened as genuine fact-finding exercises. The FCA has stated that where such an investigation is opened and inadequate evidence of misconduct is found, it will have no hesitation in dropping the investigation and taking no further action.12 While this approach is proactive and ambitious, it ought to be remembered that the FCA does not have unlimited resources. Stretching funds to cover investigative work carries a real danger of less productive investigations, with a potential negative impact on the quality of enforcement actions that are pursued.


The NCA’s impact on the anti-corruption investigation and enforcement landscape continues to be negligible. The announcement of the creation of the National Economic Crime Centre, which will operate as a multi-agency organisation within the NCA to investigate economic crime, suggests that the NCA has grand plans to make its mark. However, it remains unclear how this agency will be staffed, or, in times of shrinking budgets, whether it will be adequately funded and it is likely that, for the near future at least, the SFO will continue to investigate and prosecute the lion’s share of complex financial crime.


The recent introduction of the CFA has seen HMRC extend its jurisdictional reach, with the creation of separate offences of failing to prevent domestic and foreign tax evasion. The introduction of the offences was precipitated by the well-publicised difficulties faced by HRMC when attempting to prosecute companies engaged in, or being wilfully blind to, tax evasion, due to the high legal and evidential threshold prescribed by the ‘identification principle’ for attributing criminal liability.

The domestic offence – which will be investigated by HMRC and prosecuted by the CPS – applies to any corporate body regardless of its jurisdiction of incorporation or formation, while the foreign offence, which will be investigated by either the SFO or the NCA and prosecuted by either the SFO or the CPS, applies to corporate bodies incorporated or formed in the United Kingdom who evade tax elsewhere in the world. Such broad extra territorial jurisdiction is evidence of a clear desire to investigate and prosecute tax evasion globally.

Despite this increased potential threat, however, the SFO and the CPS, as designated prosecutors under the Crime and Courts Act 2013, can enter DPAs in respect of these new offences. Given the zeal with which the SFO has deployed this tool in respect of bribery and corruption offences, the risk of criminal prosecution for the overseas offence may be more limited than it first appears.


1 SFO v Standard Bank plc [2016] Lloyd’s Rep FC 91; SFO v XYZ Ltd (Unreported, 11 July 2016); SFO v Rolls Royce (Unreported, 17 January 2017); SFO v Tesco Stores Limited (Unreported, 11 April 2017).

2 R v Smith and Ouzman Ltd & others (Unreported, 22 December 2014); R v Sweett Group PLC (Unreported, 19 February 2016); R v FH Bertling Ltd (Sentencing in September 2018).

3 R (on the application of AL) v Serious Fraud Office [2018] EWHC 856 (Admin).

4 SFO v Rolls Royce (para 19, per Lord Leveson).

5 Ibid (para 20).

6 Ibid (paras 52-57).

7 [2017] EWHC 1017 (QB).

8 Ibid (para 154).

9 [2018] EWCA Crim 176.

10 [2017] EWHC 3535 (Ch).

11 Speech given at the ICO Annual Data Practitioner’s Conference, 9 April 2018.

12 FCA Mission: Our Approach to Enforcement, published March 2018.

Unlock unlimited access to all Global Investigations Review content