The investigation and prosecution of corporate offences historically has been low on the list of priorities for the United Kingdom. But sustained international criticism, the financial crisis and increasing public anger have prompted increased efforts by a range of government bodies in the United Kingdom to combat corporate offending. Recent data leaks, including the Panama Papers, and the controversy focusing on Unaoil have added to the upward trajectory.

Several bodies are responsible for investigating and prosecuting corporate offending in England and Wales. These include the Serious Fraud Office (SFO), Competition and Markets Authority (CMA), Financial Conduct Authority (FCA), Her Majesty's Revenue and Customs (HMRC) and Office of Financial Sanctions Implementation (OFSI). While there is some overlap in the offences each of the foregoing bodies can investigate and prosecute, their remits are largely separate. In addition, the overlaps that do exist have been addressed by memoranda of understanding that assign primacy in the vast majority of investigations and prosecutions (although concurrent investigations occasionally do occur).

Each of the foregoing bodies has a wide range of powers. The powers typically include the execution of ‘dawn raids' (whether alone or with the assistance of partner law enforcement agencies such as the police or National Crime Agency (NCA)) and the compulsory production of documents and information. Non-compliance with lawful production orders constitutes a criminal offence in the United Kingdom.

Importantly, the service of compulsory production notices tends to override any duties of confidence a recipient otherwise owes to a third party (except with respect to legal professional privilege, which can, unless waived, operate to prevent disclosure - see below). Financial institutions and professional advisers therefore must comply with such notices, absent professional privilege, without fear of being held liable to their clients for breach of confidence.

The SFO is responsible for investigating and prosecuting the most serious cases of fraud and other related economic crimes in the United Kingdom. A large part of the SFO's remit involves the investigation and prosecution of bribery and corruption offences as well as certain financial and competition law offences. The SFO's powers of investigation are derived from Section 2 of the Criminal Justice Act 1987 (CJA87), which permits the SFO to require persons to answer questions and produce documents.

The SFO has the power to conduct dawn raids (with the practical assistance of the police and the NCA) and conducted several high-profile dawn raids in 2015 and 2016, including on the premises of Soma Oil and Gas in July 2015 and Unaoil in March 2016.

Having previously suffered a high-profile defeat in a dawn raid judicial review claim brought by the Tchenguiz brothers,2 the SFO recently secured a significant victory when a judicial review claim brought by Unaoil challenging a letter of request preceding a dawn raid by the Monégasque authorities was rejected by the Administrative Court in March 2017.3 The Unaoil decision followed the rejection of a judicial review claim brought by Soma in August 2016.4 Although Soma's judicial review claim was unsuccessful, the company did benefit from the judicial review process by obtaining a letter from the SFO stating that its investigation had not produced sufficient evidence to support bribery allegations. While the Soma case may have encouraged future judicial challenges to SFO investigations, it remains to be seen whether the outcome of the Unaoil judicial review claim will diminish the appetite for such challenges.

Dawn raids also have historically been used by the UK competition authorities. Since April 2014, the CMA has taken over the competition functions of the now defunct Office of Fair Trading (OFT) and Competition Commission. The CMA is now the main competition regulator in the United Kingdom, being responsible for ensuring compliance with the Competition Act 1998 (CA98) and Articles 101 and 102 of the Treaty on the Functioning of the European Union.

In carrying out its functions, the CMA has wide-ranging powers derived from CA985 to investigate suspected infringements of competition law. These include the power to request information, whether in the form of documents or answering questions, and conduct various on-site investigations, including dawn raids, examining and making copies of company books and records and requiring computerised information to be produced in a form that is readable.

Since April 2015, the FCA has had concurrent competition law powers for the financial services sector pursuant to which it may, inter alia, prosecute competition law infringements, conduct market studies and refer markets to the CMA for in-depth investigation. The FCA's main remit, however, is regulating the financial services sector and maintaining the integrity of the UK financial markets.

A wide range of investigatory powers has been conferred upon the FCA by section 168(2) of the Financial Services and Markets Act 2000 (FSMA). Investigations of this type typically relate to allegations of insider dealing, market abuse, making misleading statements, giving misleading impressions or violating the general prohibition appearing in Section 19 of the FSMA.6 Relevant powers include the power to interview any person (whether or not the subject of the investigation), compel the production of documents and information, and compel any person to give such assistance as he or she is ‘reasonably able to give'.

HMRC is responsible for investigating tax and revenue related offences in England and Wales. In doing so, it has a wide range of civil and criminal investigatory powers. Its civil powers derive from the Finance Act 2008 and include the power to obtain information and documents under compulsion as well as inspect premises. HMRC's criminal powers are derived from a range of statutes, the main one being the Police and Criminal Evidence Act 1984 (PACE).7 PACE confers a broad range of investigative powers on HMRC, including search and seizure and compulsory document production.

OFSI is responsible for implementing the financial sanctions regime within the United Kingdom. OFSI monitors compliance with the regime and is notified of any suspected violations. OFSI has the power under the Policing and Crime Act 2017 (PCA) to impose monetary penalties for any breaches of the financial sanctions legislation. Under this new regime, a monetary penalty of up to £1 million can be imposed on a person if OFSI is satisfied it is more likely than not that a particular person breached or failed to comply with the UK financial sanctions regime. If such a breach or failure relates to particular funds or economic resources and it is possible to value them, the maximum fine OFSI can impose is the greater of either £1 million or 50 per cent of the estimated value of the funds or resources. As such, when it is possible to put a value on the breach, the fine could be significantly in excess of £1 million. Each of the SFO, CMA and FCA are empowered to investigate and prosecute relevant offences falling within their remit. HMRC and OFSI by contrast are only responsible for investigation. The prosecution of tax and financial sanctions offences has been assigned to the Crown Prosecution Service (CPS). The decision to prosecute is required to be made in accordance with the Full Code Test in the Code for Crown Prosecutors8 in relation to criminal offences and applicable codes of practice or guidance otherwise.


i Self-reporting

Against a backdrop of ever increasing regulation and enforcement, self-reporting is an issue many corporates have to grapple with at some stage. The starting point for the majority will be the same: while there generally is no legal obligation to self-report in the United Kingdom, self-reporting may or may not - depending upon a variety of factors and circumstances - be advantageous.

The most well-developed self-reporting regime in the United Kingdom is operated by the CMA in relation to cartels, which provides for three types of immunity or leniency for corporates from the imposition of financial penalties.9 Whether full immunity is granted will depend largely upon the timing of the self-report. Greater credit is given the earlier the self-report is made. Broadly, the first to report, provided the self-report is made before the CMA has begun its own investigation, will qualify for leniency (subject to the satisfaction of additional criteria).

A discretionary sliding scale of leniency is offered to those who come forward after an investigation already has begun or when the particular corporate is not the first to do so. The highest and broadest type of leniency, Type A, can offer full corporate immunity from fines as well as immunity from criminal prosecution for all current and former directors, officers and employees who cooperate with the CMA. Timely self-reporting, therefore, can be crucial in the context of competition infringements.

A less generous but nonetheless significant self-reporting regime is operated by the SFO. While the SFO's guidance on corporate prosecutions has made clear for some time that a self-report may be taken into account as a public interest factor tending against prosecution,10 only recently - with the advent of Bribery Act 2010 (BA) offences, the availability of deferred prosecution agreements (DPAs) and an increasingly aggressive approach by the SFO - has this guidance actually begun to prompt some self-reporting.

Standard Bank11 became the first company to enter into a DPA, having self-reported possible misconduct before having begun an internal investigation. In a contrasting case, the Sweett Group12 self-reported potential misconduct only after allegations of misconduct had appeared in the press. The difference in outcome is striking: the Sweett Group was convicted of a criminal offence while Standard Bank paid a civil fine (although it should be noted that a number of additional factors likely contributed to the differential outcomes of the Standard Bank and Sweett Group matters).

The approach taken by Standard Bank was praised by the court. Further, in presenting the proposed DPA to the court, the SFO stated that Standard Bank's early self-report had been a major factor causing the SFO to seek to resolve its investigation of Standard Bank by means of a DPA. Meanwhile, the Sweett Group does not appear to have obtained any meaningful credit from the SFO or the court for what both apparently concluded had been an unjustifiably belated self-report.

A company anonymised as XYZ Limited became, in July 2016, the second company to enter into a DPA.13 As with Standard Bank, XYZ self-reported following concerns that came to light during the implementation of a new global compliance programme. In approving the proposed DPA, the court placed considerable weight on the timing of XYZ's self-report and its ‘genuinely proactive' approach to the wrongdoing that was discovered. The court also awarded a 50 per cent reduction in the fine levied against the company in settlement of the case in light of the company's early self-report.

The third corporate DPA represented a departure from the principles established in the Standard Bank and XYZ cases. In January 2017, Rolls-Royce became the first company to secure a DPA without having first self-reported to the SFO.14 As with XYZ, the court also awarded Rolls-Royce a 50 per cent reduction in the fine levied in settlement of the case. While the court stated in its judgment that self-reporting continues to be ‘highly relevant' when determining whether to approve a DPA, the court nonetheless was persuaded that the ‘extraordinary cooperation' of Rolls-Royce rendered a DPA appropriate. Among other things, Rolls-Royce provided the SFO with access to memoranda of internal interviews in respect of which privilege could have been claimed and deferred internal interviews to allow the SFO to question individuals before they were interviewed by company representatives.

It is unclear whether Rolls-Royce's ability to secure a DPA without first having self-reported will curb companies' enthusiasm for self-reporting in the future. The head of the SFO, David Green QC, has advocated the benefits of self-reporting, repeating Sir Brian Leveson's proclamation from the XYZ DPA that ‘incentivising self-reporting is a core purpose of DPAs.'15 Nevertheless, it remains to be seen what approach companies will take in the future now that a failure to self-report has not been deemed in itself to be an outright bar to securing a DPA.

The FCA has had a longer history than the SFO of taking significant and consistent enforcement action against the firms it regulates. Self-reporting by FCA-regulated firms is far more routine for the FCA than the SFO - indeed, it is largely compulsory. Pursuant to the FCA's high-level principles for business, regulated firms are required to deal with the FCA in an open and cooperative way, disclosing anything relating to the firm and the firm's corporate group of which the FCA reasonably would expect notice.16 Suspicion or evidence of wrongdoing by FCA-regulated firms falls within the scope of this requirement and thus should be, and generally is, reported to the FCA as a matter of course.

Since July 2015, the foregoing self-reporting obligations have been extended to competition law infringements.17 Consequently, FCA-regulated firms are now expected to self-report instances of significant infringements of competition law to the FCA. Self-reporting generally is regarded, as has been stressed in recent FCA pronouncements, to be a bare minimum requirement by the FCA18 and enforcement action is typically taken if that requirement is breached. Recent enforcement actions reflecting this trend ended with Deutsche Bank AG being fined £227 million for misconduct in manipulating LIBOR and EURIBOR and the bank's failure to deal with the FCA in an open and cooperative way19 and Sonali Bank (UK) Limited being fined £3.25 million for inadequate anti-money laundering controls and a similar failure to deal with the FCA openly and cooperatively.20

The decision to self-report in the United Kingdom often is influenced or driven by the application of the UK money laundering regime. The Proceeds of Crime Act 2002 (POCA) includes several money laundering offences predicated on the commission of one or more criminal offences that have produced revenues in or resulted in revenues being remitted into the United Kingdom. Broadly, the only way liability for POCA offences can be avoided is by reporting the underlying criminal conduct. That is especially so for those operating in the regulated sector - for the most part, financial institutions and professional advisers - who or that are subject to function-specific reporting obligations under POCA.

ii Internal investigations

Internal investigations have become increasingly common in recent years due largely to the increase in UK enforcement action and the severity of penalties that increasingly are being imposed. While the UK authorities do not necessarily require corporates to carry out internal investigations when they suspect wrongdoing, they typically expect to see that some action has been taken when evidence of possible misconduct is discovered or reports of possible misconduct are received. The type of action that is expected varies, however, between and among the pertinent authorities.

Internal investigations may be conducted by either internal or external counsel. Internal counsel typically take the lead in conducting internal investigations when the misconduct at issue is of a minor or routine nature. In cases involving more serious misconduct and particularly when there is a tangible possibility of enforcement action, it is more typical for external counsel to take the lead.

The SFO has made clear that the primary responsibility for investigating possible misconduct within the SFO's remit falls squarely upon the SFO.21 That said, SFO officials have said that they understand that ‘up to a point' corporates will need to do some work to investigate possible misconduct, if only to determine preliminarily whether the evidence of misconduct that has been discovered or the report of misconduct that has been received warrants the SFO's attention.

At the same time, SFO officials have said repeatedly that they will not tolerate internal investigations that ‘trample over the crime scene' and expect corporates to cooperate with the SFO's investigation rather than duplicating it. Further, SFO officials have stressed repeatedly that they will not accept self-reports at face value, no matter how comprehensive or seemingly objective the reports appear to be, being committed to conducting their own investigation to establish the pertinent facts.22

The SFO's begrudging tolerance for internal investigations is in stark contrast with the encouragement for internal investigations that long has emanated from officials at the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Given the SFO's rather paltry budget, at least when compared with the resources that have been given to the DOJ and SEC, the SFO's attitude toward internal investigations is surprising.

In addition, it is not at all clear how a corporate-funded investigation would ‘trample over the crime scene', particularly when such investigations are geared toward collecting and preserving potentially pertinent electronic and other evidence that may be lost by the mere passage of time or pursuant to the company's long-standing document retention programme. Further, the SFO has not explained how its approach to internal investigations can be squared with a company's duty, when suspecting past misconduct, to move promptly to avoid future misconduct - a responsibility that can be difficult to meet if the corporate is deprived of the ability to conduct a prompt internal investigation.

The SFO's approach to internal investigations is mirrored in important respects by the FCA.23 While encouraging internal investigations in some contexts, the FCA has discouraged them when the suspicion that has arisen relates to market abuse or other criminal conduct. In those circumstances, the FCA expects firms not to carry out their own investigation, purportedly due to the risk of the FCA's investigation being compromised or potential suspects being alerted. Importantly, the FCA - like the SFO - expects to be involved from an early stage to discuss the nature and scope of any internal investigation the particular company has proposed to undertake or commission.

Both the FCA and SFO expect corporates to provide them with the fruits of any internal investigation they have undertaken or commissioned together with underlying supporting materials. Although privileged material is said to be protected from mandatory production, the FCA and SFO often have demanded production of - at the very least - the factual narrative in any internal investigation report that has been prepared. In one recent case, a corporate reportedly negotiated a compromise agreement with the SFO - agreeing to provide an oral summary of the internal investigation report as well as underlying documents rather than the report itself. In still other cases, corporates have chosen to provide the FCA and SFO with the full internal investigation report, seeking thereby to earn maximum cooperation credit.

Many have suggested, with good reason, that the recent decision of the High Court in Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Ltd 24 will operate as a major deterrent to internal investigations in the United Kingdom if the High Court's decision in the ENRC case is upheld by the Court of Appeal. In the ENRC case, discussed in more detail below, the High Court ordered ENRC to hand over various documents to the SFO, rejecting a claim of litigation privilege in respect of most of the pertinent materials. The High Court's decision was sharply criticised by the Law Society, the independent professional body for solicitors in England and Wales.25

Internal investigations tend to be conducted routinely in a competition law context, typically to support leniency applications. The relatively low evidential threshold for such applications coupled with the significant advantages of an early application usually result in a more detailed internal investigation being carried out post-application. Both pre-application and post-application internal investigations must be carried out with extreme caution, however, due to the risk of ‘tipping off' other participants in the suspected cartel activity. The CMA has issued guidance on how that should be managed.26

Importantly, while the CMA does not require a waiver of legal privilege as a requirement of leniency or otherwise, it does require corporates to keep a detailed note of all actions undertaken as part of any internal investigation they have conducted or commissioned, including recording the identities of any witnesses who were interviewed, the nature of the questions that were asked of them and their respective responses. The note is required to be retained until the conclusion of any proceedings the CMA initiates. Any refusal or inability to do so may be viewed by the CMA as an application not meeting the conditions for leniency.

iii Whistle-blowers

Whistle-blowers are afforded a number of workplace and non-workplace protections in England and Wales. Workplace protections derive from the Public Interest Disclosure Act 1998 (PIDA), which protects qualifying disclosures made to, inter alia, employers and ‘prescribed persons', including the CMA, SFO, FCA and HMRC.

To qualify for protection, the disclosure that is made must relate to a failure such as the commission of a criminal offence or breach of a legal obligation. The disclosure also must be motivated by a reasonable belief on the part of the whistle-blower that such failure occurred and that its disclosure is in the public interest.

If the disclosure satisfies PIDA criteria, it will be protected and employees dismissed unfairly or suffering detriment as a result of their disclosure may seek potentially unlimited compensation from their employer. Companies are expected to have procedures for dealing with whistle-blowing, especially when regulated by the FCA.27 At a minimum, a company will be expected to consider whether any further steps are required as a result of any disclosure that is made such as whether further investigation or the implementation of remedial actions are needed.

Non-workplace protection is given to witnesses and victims through the Code of Practice for Victims of Crime and the Witness Charter, which most prosecuting authorities, including the SFO and FCA, are legally bound to apply. These provide broad protections to disclosures and the treatment of victims and witnesses. Importantly, however, the relevant UK authorities typically are reluctant to advise whether a particular disclosure will qualify as a protected disclosure under PIDA.

In 2014 the FCA and the Bank of England Prudential Regulation Authority carried out research28 on the impact of financial incentives to encourage whistle-blowing in the United States. They found no empirical evidence of incentives leading to an increase in the number or quality of disclosures received and believed that incentives could undermine effective internal whistle-blowing mechanisms. A response by the Department for Business, Innovation & Skills to a whistle-blowing consultation the same year set out the UK government's view that incentives should not form an integral part of the whistle-blowing framework.29 At present, only the CMA offers financial incentives for information on cartel activity and payouts are discretionary.


i Corporate liability

Save when otherwise provided by statute, a corporate will be liable for the offences it commits just as it would be if it were an individual. As a corporate can act only through natural persons, such liability is based on acts committed by its respective officers or employees in the course of employment. Liability is attributed through one of two means: vicarious liability or the identification principle.

Vicarious liability typically, but not invariably, arises from the commission of a strict liability offence, namely offences that do not require fault or intention on the part of the offender. Such offences usually are created by statute and are most common in quasi-regulatory areas of the criminal law such as health and safety and trading standards.

The ‘identification principle' is by contrast fault-based and attributes to the company the acts and state of mind of those who represent the company's directing mind and will. The identification principle does not attribute to the company the acts and state of mind of all employees but only those who are serving on the company's board of directors, the managing director and other superior officers carrying out management functions.30

Because of the limited number of strict liability offences, most corporate prosecutions in the United Kingdom are based upon - and require application of - the identification principle. That often poses significant difficulty to prosecutors. The larger the company or the more diffuse its corporate structure, the more difficult it often is to attribute liability to the company. That has prompted widespread criticism of the identification principle in the United Kingdom, including by the Director of Public Prosecutions in relation to the ‘phone hacking' scandal when the absence of corporate prosecutions was laid at the door of the identification principle.31 David Green QC also has expressed his preference that the test for corporate criminal liability be reconsidered, lamenting that e-mail trails tend to dry up at a fairly junior level.32

One response to these difficulties has been the introduction of the ‘failure to prevent' model of liability adopted in Section 7 of the BA with respect to bribery and, more recently, Part III of the Criminal Finances Act 2017 (CFA) with respect to facilitation of tax evasion offences. In January 2017 the UK government also initiated a consultation on possible reform of corporate criminal liability. Several possible reforms were proposed in the consultation document, including (1) amending the identification principle by broadening the scope of those regarded as a directing mind of a company, (2) creating a new strict liability offence based upon principles of vicarious liability and (3) creating a new strict direct liability offence that focuses on the responsibility of a company to ensure that offences are not committed in its name. The consultation document also discussed the possibility of expanding the failure to prevent model to include other economic crimes. Economic crimes that might fall within any such future offence include conspiracy to defraud, false accounting and the fraud offences set out in Section 1 of the Fraud Act 2006 (FA06). If the proposed reforms were to be adopted they likely would make corporate prosecution simpler.

As regards representation, when both the corporate and its employees are being investigated, both typically are not represented by the same counsel. While joint representation sometimes occurs at the beginning of an investigation, the interests of the corporate and the corporate's employees often diverge early in the investigation, requiring separate representation. The costs of an individual's representation may be covered by director and officer liability insurance, although it is common for such policies to require any funds that are dispensed to be returned if the recipient of the funds ultimately is convicted of a criminal offence.

Individuals do not always have the right to legal representation at an interview in the United Kingdom even when the interview occurs in a criminal context. By way of example, when a representative of the SFO is interviewing an individual pursuant to the SFO's powers under Section 2 of the CJA87, the SFO is not required to permit a solicitor to be present at the interview or wait for one to arrive before beginning the interview. Similarly, since the Divisional Court's decision in R (Lord, Reynolds and Mayger) v. Serious Fraud Office,33 the SFO has been empowered to - and often does - exclude company lawyers from attending employee interviews (even over the employee's objection).

By contrast, individuals in the United Kingdom have the right to legal representation when being interviewed as a criminal suspect. In such circumstances, the PACE Code of Conduct gives such individuals the right to consult and communicate privately with a solicitor at any time during the interview.34 Such interviews usually are carried out at a police station following arrest, although certain authorities - such as the SFO - often insist upon conducting such interviews on the SFO's own premises.

Other rights and duties of an individual being interviewed in a criminal context likewise depend upon the individual's status. The target of a criminal investigation in the United Kingdom generally can decline to answer the questions put to him or her. But an individual being interviewed as a witness must answer any and all questions that are asked.

If a target of a criminal investigation in the United Kingdom exercises his or her right to remain silent when being interviewed but provides at trial a response on which the target seeks to rely in defence, the court may draw an adverse inference from the target's silence during the interview. By contrast, a response that an individual who was not a target was required to provide when being interviewed generally cannot be used against that individual in a subsequent criminal prosecution.

ii Penalties

Sanctions for corporate misconduct have become increasingly severe in England and Wales with nominal fines or non-criminal, regulatory outcomes no longer being guaranteed. There has been in recent years a sea change in the approach taken by many UK prosecutors to corporate offending, with substantial financial penalties and other severe criminal consequences seeming to increase with each passing year.

The FCA led the way during 2015, imposing a total of £905,219,078 in fines for regulatory breaches.35 High-profile, multimillion pound fines were somewhat less of a feature throughout 2016 and there was a significant drop in total fines imposed to £22,216,446. Regulatory fines and criminal prosecutions are, however, only two of the FCA's many disciplinary and enforcement powers. The FSMA36 gives the FCA power to impose a range of regulatory sanctions on those it regulates, from mere public censure at one end to the suspension or cancellation of FCA authorisation and the imposition of substantial regulatory fines at the other.

The FCA's Decision Procedure and Penalties Manual37 sets out a non-exhaustive list of factors the FCA should consider when determining what action to take in a particular matter. These include the nature, seriousness and impact of the suspected breach, the conduct of the firm or approved person after the breach occurred or was discovered (including how quickly, effectively and completely the breach was brought to the FCA's attention), the disciplinary record and compliance history of the firm or approved persons, any published guidance by the FCA and any action taken by the FCA in similar cases. In addition, the FSMA gives the FCA power to prosecute criminal offences such as insider dealing pursuant to the Criminal Justic Act 1993 (CJA93) and breaches of the Money Laundering Regulations 2007.

Like the FCA, the CMA has both civil and criminal powers with respect to competition law infringements. The civil remedies available to the CMA range from settlement accompanied only by the making of certain commitments to the imposition of financial penalties. Settlement is a voluntary process38 pursuant to which the infringing firm makes an unequivocal admission of liability and in return may receive a discount of up to 20 per cent of the penalty that otherwise would have been imposed. Commitments and directions are agreements between the firm and the CMA that, if not complied with, can be enforced through the courts.39

Commitments are accepted by the CMA only when the CMA deems, inter alia, its concerns to be capable of being fully addressed by the commitments. Similarly, directions are imposed only if the CMA is of the view that they are sufficient to end the particular infringement.40 The most significant civil power at the CMA's disposal is the power to impose financial penalties of up to 10 per cent of a firm's worldwide turnover in the business year preceding the date on which the CMA makes its decision.41

The CMA and SFO both can criminally prosecute individuals who are suspected of having committed a cartel offence.42 By contrast, the CMA and SFO can impose upon corporates only civil sanctions for anticompetitive conduct. Whether that will continue to be so, despite the criticism that appears to be growing in the United Kingdom of the traditional limitations on corporate criminal liability, remains to be seen.

The SFO is responsible for prosecuting serious or complex fraud, bribery and other forms of corruption. The SFO has two options for resolving such conduct in the case of corporates: entry into a DPA or a criminal prosecution. DPAs were introduced in the United Kingdom in February 201443 as a discretionary tool enabling prosecutors to enter into agreements with offending corporates, under the supervision of a judge, to suspend prosecution for a defined period of time so long as the corporate meets specified conditions during that time.

The usage of DPAs looks set to increase, with three DPAs having been entered into by the SFO in respect of bribery and corruption in the Standard Bank, XYZ and Rolls-Royce cases. In addition, in April a DPA was agreed44 between the SFO and Tesco Stores Limited following an investigation into accounting practices at Tesco that led to profits being overstated by £326 million. The fines levied in the Rolls-Royce and Tesco cases alone totalled £368,075,145 (not including the disgorgement of profits in the Rolls-Royce case).

The Joint SFO and CPS Deferred Prosecution Agreements Code of Practice makes clear that the SFO is ‘first and foremost' a prosecutorial authority and that the SFO and CPS will offer a DPA instead of pursuing a full prosecution only in exceptional cases.45 The public interest factors prosecutors are supposed to take into account when coming to such a decision include the corporate's history of similar conduct, whether the conduct being addressed is part of the corporate's established business practices, whether the corporate had an effective compliance programme and whether the corporate self-reported the matter within a reasonable period after the offending conduct was discovered.46 Importantly, the court is involved throughout the DPA process and ultimately must approve any DPA that is proposed.

Criminal prosecution or resolution of offending by means of a DPA can have a significant effect on the corporate from a public procurement perspective. The Public Contracts Regulations 201547 provide for mandatory debarment when a corporate is convicted of certain criminal offences. Such offences include the active bribery offences in Sections 1, 2 and 6 BA (although not the failure to prevent bribery offence in Section 7 of the BA). Mandatory debarment sometimes can be avoided if the corporate is able to demonstrate that it has adequately remediated the offending conduct. Absent such a showing, however, a criminal conviction triggers mandatory debarment. By contrast, entry into a DPA does not trigger mandatory debarment. Discretionary debarment may be ordered, however, depending upon the circumstances surrounding the DPA as well as in relation to any Section 7 BA violations.

Corporate tax offences are largely resolved by HMRC in line with its applicable Code of Practice by means of a civil resolution.48 Factors that may contribute to a criminal outcome include a suspicion of deliberate concealment, deception, conspiracy or corruption or when there is a link to suspected wider domestic or overseas criminality.

Violations of the financial sanctions regime may lead to the imposition of a monetary penalty by OFSI following enactment of the PCA that empowers OFSI to impose such penalties.

iii Compliance programmes

The existence of an effective compliance programme can be relevant to both liability and penalty, depending on the circumstances. While the existence of adequate procedures is a defence only to the Section 7 BA corporate offence of failing to prevent bribery, it nonetheless may be taken into account when considering the issue of penalty.

Section 7 of the BA provides for a defence to the corporate offence of failing to prevent bribery by persons associated with the corporate when such bribery is intended to obtain or retain a business advantage for the corporate. The defence requires that the corporate has adequate procedures designed to prevent persons associated with it from engaging in bribery. To be deemed to be adequate, the procedures must accord with the six principles set out in the Ministry of Justice's guidance on the BA49 - proportionality, top-level commitment, risk assessment, due diligence, communication (including training) and monitoring, and review. The principles are overarching principles and, as such, each set of procedures must be tailored to the individual corporate.

To date, no corporate has relied successfully upon the adequate procedures defence. The three DPAs entered into by the SFO thus far all have required changes to be made to the company's existing policies and procedures: Standard Bank agreed to commission an independent review of its anti-bribery and corruption controls, policies and procedures and XYZ agreed to carry out a review and submit annual compliance reports to the SFO. While Rolls-Royce some years earlier had hired Lord Gold to conduct an independent review of its compliance procedures, the terms of its DPA called for Rolls-Royce to complete the implementation of a compliance programme adhering to the review recommendations as well as the continued retention of Lord Gold as an independent specialist adviser to Rolls-Royce. Until a Section 7 BA charge is contested in court, the exact requirements of the adequate procedures defence will remain unclear.

As regards competition offences, the CMA's Penalty Guidance50 makes clear that compliance activities can merit in particular cases a penalty discount of up to 10 per cent. The starting point in that regard is neutral so that the mere existence of compliance efforts will not necessarily be treated as a mitigating factor. Evidence of adequate steps being taken to achieve a clear and unambiguous commitment to competition law compliance throughout the organisation (from the top down), together with appropriate steps having been taken relating to competition law risk identification, risk assessment, risk mitigation and review activities, often are treated as mitigating factors.

For firms regulated by the FCA and therefore bound by the provisions of the FCA Handbook, the establishment and maintenance of effective systems and controls for compliance with applicable requirements and standards and for countering the risk of the firm being used to further financial crime is mandatory.51 When a firm has not adopted such measures, it should expect to incur liability that is commensurate with the inadequacy of the measures it has taken. In fact, the FCA sometimes has penalised firms for not having established effective compliance systems and controls even in the absence of any other misconduct.52

iv Prosecution of individuals

When a corporate is prosecuted, it is usual in England and Wales for enforcement action also to be taken against culpable individuals. Guidance, such as that setting out the common approach of the CPS and SFO (and formerly the prosecutorial arm of HMRC),53 makes clear that prosecution of a company is not a substitute for the prosecution of criminally culpable individuals such as directors, officers or employees. The reason cited for that policy is that prosecution of culpable individuals provides a strong deterrent against future corporate wrongdoing. For example, while Tesco has agreed a DPA in principle with the SFO, three former company directors will stand trial in September 2017 on fraud charges.

When enforcement action is taken against an individual, it can pose a number of issues for the corporate involved. In particular, corporates must be mindful of any employment law obligations they owe toward such employees and ensure that any action they take against them is commensurate with the misconduct that has been identified.

The most common step taken against employees suspected of wrongdoing in the course of an investigation (whether internal or external) is suspension. The timing of the suspension must be considered carefully, however, as suspension for the entire duration of an investigation may not be deemed to be fair and reasonable from an employment law perspective. Suspension therefore usually occurs only after the particular employee has been interviewed as a suspect or charges have been made against such individual.

While there is no requirement for corporates to pay for an individual's legal representation (save for any provisions to the contrary in the individual's employment contract), it is common for corporates to do so in the beginning stages of an investigation. As the majority of those charged tend to be senior officers of the corporate - namely, those constituting its controlling mind and will - such individuals often also are able to rely upon director and officer liability insurance, which may provide cover until the individual is found to be guilty or otherwise at fault (see above).


i Extraterritorial jurisdiction

Typically, jurisdiction over criminal conduct is state specific. A state usually will have jurisdiction only when some or all of the offence takes place within its territory or the accused or victim is a national of that state. The exception is when principles of universal jurisdiction apply, such as in relation to war crimes, or the relevant jurisdiction has enacted laws with extraterritorial effect.

In the United Kingdom, it is well established that statutes are not to be interpreted as having extraterritorial effect unless they expressly state otherwise. In recent years, a number of such statutes have been enacted. The effect of this is that UK authorities, depending on the circumstances of the particular case, may prosecute offences that took place overseas, whether wholly or in part, when there is some connection to the United Kingdom such as through incorporation, nationality or residency.

Key offences with extraterritorial effect include:

a fraud under the FA06;

b dishonesty under the CJA93;54

c terrorism under the Terrorism Act 2000 and Terrorism Act 2006;

d bribery under the BA;

e money laundering under POCA; and

f tax evasion facilitation offences under the CFA.55

The BA has exceptionally broad extraterritorial effect. Corporates that carry on a business or part of a business in the United Kingdom may incur liability under Section 7 of the BA for bribery committed anywhere in the world for their benefit by persons associated with them irrespective of whether those persons have any other connection to the United Kingdom. Liability for both UK incorporated companies as well as those that merely carry on business or a part of a business in the United Kingdom therefore extends to acts committed on their behalf abroad.

The CFA may be deemed to have broad extraterritorial effect. Corporates that carry on a business or part of a business in the United Kingdom may incur liability under Part III of the CFA for tax evasion facilitation offences committed anywhere in the world by persons associated with them irrespective of whether those persons have any other connection to the United Kingdom. Final guidance in respect of the CFA is expected to be published by HMRC later in 2017.

In relation to money laundering, Part 7 of POCA makes clear that liability for money laundering offences may be predicated on criminal conduct that occurred abroad. The only additional requirements are that such overseas criminal conduct constituted a criminal offence in the United Kingdom when it occurred and proceeds of the overseas criminal conduct have been transferred, in some manner, to the United Kingdom.

The BA, CFA and POCA are part of a trend in UK law to provide liability for offences taking place abroad. It remains to be seen whether this trend will continue following the conclusion of the UK government consultation on reforming corporate criminal liability that also discusses the possibility of expanding the failure to prevent model to include other economic crimes.

ii International cooperation

With the internationalisation of business, it is becoming increasingly common for cases to involve criminality or participants in more than one jurisdiction. Law enforcement and prosecutorial authorities increasingly are dealing with that challenge through a variety of formal and informal channels.

The United Kingdom has enacted a number of statutes to facilitate the sharing of information between and among domestic and overseas authorities for the investigation and prosecution of crime. Such information gateways include Part XXIII of the FSMA, which permits the disclosure of confidential information for the purpose of allowing the performance of a public function and Section 68 of the Serious Crime Act 2007, which permits public authorities to disclose information to other organisations to prevent fraud.

A number of memoranda of understanding (MoUs) exist between the various UK authorities as well as their international counterparts. Examples of domestic MoUs include the MoU on Tackling Foreign Bribery, of which the FCA, SFO, NCA and the City of London Police are signatories; the MoU between the CMA and the SFO; and the MoU between the CMA and the FCA in relation to concurrent competition powers. International MoUs include the MoU between the FCA and the SEC.

In addition to such domestic statutes and MoUs, the United Kingdom has signed a number of multilateral and bilateral mutual legal assistance (MLA) treaties enabling UK prosecuting authorities to obtain evidence overseas. These include the European Convention on Mutual Assistance in Criminal Matters 1959, the Convention on Mutual Legal Assistance in Criminal Matters between the Member States of the European Union 2000, the United Nations Convention against Corruption 2003, the Commonwealth Scheme Relating to Mutual Assistance in Criminal Matters (1986) and various bilateral agreements with individual countries such as the United States. Section 7 of the Crime (International Co-operation) Act 2003 also provides for UK prosecutors to obtain overseas evidence through letters of request.

In addition to the formal means of information gathering mentioned above, law enforcement authorities in the United Kingdom can draw upon an array of informal information exchange networks. It is not uncommon for UK authorities to speak on an informal basis with their foreign counterparts. Issues of forum and investigation primacy tend to be resolved following informal discussion, particularly in reasonably straightforward or uncomplicated cases. More complicated cases may require prosecutors to engage the more formal MLA means of information exchange.

As a result of the foregoing measures, corporates being investigated in one jurisdiction should be conscious that information regarding the investigation, especially if touching other jurisdictions whether through relevant conduct or some other territorial nexus, often will be made available to law enforcement or prosecutorial authorities overseas. China, to cite only one example, recently initiated a bribery prosecution of one company that previously had been convicted of bribery in China by an overseas prosecutor.

A further possible consequence of MLA arrangements between states is the extradition of individuals. Two types of extradition exist in the United Kingdom: import extradition and export extradition. The former relates to a request from the United Kingdom to another state for the extradition of a person to the United Kingdom. The latter relates to a request by another state for the extradition of someone from the United Kingdom. Importantly, not all offences are extraditable offences.

The Extradition Act 2003 (the 2003 Act) regulates both import and export extradition. Part 1 of the 2003 Act regulates export extradition to category 1 states. These are EU Member States that have implemented the European Arrest Warrant mechanism. For the most part, dual criminality is required to be shown in that the conduct at issue must constitute an offence in the United Kingdom as well as in the state seeking extradition. Part 2 of the 2003 Act regulates export extradition to category 2 states - that is, to non-EU Member States.

Decisions regarding extradition to non-EU Member States ultimately are made by the UK Secretary of State. Various restrictions apply to extradition from the United Kingdom such as whether the death penalty might be imposed or whether extradition to a third state could ensue following initial extradition. Import extradition is regulated by Part 3 of the 2003 Act. As with export extradition, the applicable mechanism for import extradition generally depends upon whether the relevant state is a category 1 or 2 state. Whether such requests are granted is determined ultimately, of course, by the overseas state.

iii Local law considerations

One of the central issues in cross-border investigations, especially those involving the United States, is the application of the UK data protection regime. The Data Protection Act 1998 prohibits the transfer of personal data from the United Kingdom outside the European Economic Area unless the recipient, jurisdiction or territory is able to ensure a UK-equivalent level of protection to those to whom the data belong. Whether a jurisdiction or territory is deemed to provide an adequate level of protection is decided by the European Commission.56

Until 2015, personal data were permitted to be transferred to certain US companies that had agreed to adhere to the ‘Safe Harbor' framework agreed between the European Commission and United States. But the Court of Justice of the European Union invalidated the ‘Safe Harbor' framework in October 2015 in Maximillian Schrems v. Data Protection Commissioner.57 In July 2016, the European Commission adopted the EU-US Privacy Shield, a replacement for the Safe Harbor regime that imposes obligations on US companies to protect EU citizens' personal data in accordance with certain principles, including the tightening of conditions for onward transfer of data to third parties and clear safeguards and transparency obligations on access by the US government. However, concerns were raised with an earlier version of the pact and the final version does not address the entirety of those concerns. A challenge to the scheme has now been launched58 by privacy advocacy group Digital Rights Ireland, which may take over a year to resolve. In April 2017 the European Parliament also passed a resolution59 expressing numerous concerns over Privacy Shield and calling upon the EU Commission to conduct a proper assessment of Privacy Shield.

Legal professional privilege is another issue that must be considered from the beginning of an investigation. England and Wales recognises both legal advice privilege and litigation privilege in relation to advice provided by both in-house and external counsel, with one exception in relation to competition law.

It has become increasingly common for authorities to seek the production of investigation materials arguably subject to legal professional privilege, such as first account witness interviews, as a sign of cooperation. There are substantial difficulties with invoking privilege over such documents.

The High Court recently issued an important decision on the unavailability of legal advice privilege in Re the RBS Rights Issue Litigation.60 The court upheld the restrictive approach to defining a ‘client' that was adopted in Three Rivers (No. 5)61 and rejected claims of privilege asserted by RBS over notes of internal interviews on the grounds that the pertinent group of employees and ex-employees did not constitute the client for the purpose of privilege. Consequently, the information provided by that group of RBS employees and ex-employees did not fall within the scope of legal advice privilege. The contention that the interview notes still could fall within the scope of legal advice privilege on the basis that they were ‘lawyers' working papers' also was rejected by the court.

The recent decision of the High Court in the ENRC case further increases the difficulty in invoking privilege over litigation materials. The court ordered ENRC to hand over various documents to the SFO, rejecting a claim of litigation privilege in respect of most of the pertinent materials. The court's view was that litigation privilege required the company to be aware of circumstances that made prosecution a real likelihood as opposed to a mere possibility. The company's fear of a dawn raid and subsequent prosecution by the SFO was held to be insufficient to establish that prosecution was a real likelihood. Consequently, the court concluded that litigation privilege did not protect the majority of the documents sought by the SFO.

The foregoing decisions doubtless will generate much debate as to how best to protect notes of internal investigation interviews and other investigation materials from disclosure. It is likely that, unless the Supreme Court hears the issues raised by these cases, real difficulty in invoking legal professional privilege will remain.


The past year has seen the SFO becoming increasingly active, initiating a number of high-profile investigations and making more use of DPAs to resolve investigations into corporate misconduct. In addition to the DPAs entered into between the SFO and each of XYZ, Rolls-Royce and Tesco, SFO investigations continue into the activities of Airbus and Unaoil. A number of other companies have also become embroiled in the Unaoil investigation, with the Swiss engineering company ABB, the US engineering and construction company KBR and UK oil services group Petrofac among the corporates now also the subject of ongoing SFO investigations.

There have been significant legislative developments, with the enactment of the CFA introducing two new corporate criminal offences concerning the facilitation of tax evasion and the PCA empowering OFSI to impose financial penalties in respect of violations of the sanctions regime. These developments, along with the UK government's initiation of a consultation on the reform of corporate criminal liability, raise the possibility of an uptick in investigations and enforcement actions focused on corporates over the coming few years.

Finally, the decision of the High Court in ENRC will have important ramifications for litigation privilege in the United Kingdom, rendering it harder for corporates to advance arguments that litigation privilege applies to documents prepared during the course of an internal investigation and requiring lawyers to give even greater thought to how best to preserve privilege for their clients during the course of future investigations.


Tackling corporate crime has become a key political priority for the United Kingdom in recent years. With it has come a raft of legislative measures aimed at providing additional routes to corporate liability and tougher sentencing.62

The CFA creates new corporate criminal offences of failing to prevent an associated person from facilitating United Kingdom or foreign tax evasion - offences based on the strict liability ‘failure to prevent' model used in the Section 7 of the BA offence. There is clearly a desire on the part of the UK government to tackle tax evasion and penalise those corporates deemed to be facilitating it. The desire to clamp down on broader economic crime is also evidenced in the UK Government's recently initiated consultation on the reform of corporate criminal liability and possible expansion of the ‘failure to prevent' model to other economic crimes such as false accounting and conspiracy to defraud.

Similarly, the PCA63 has introduced extensive new provisions regarding financial sanctions breaches. Historically, very few prosecutions have been brought in the United Kingdom for breaches of financial sanctions. The PCA demonstrates the current UK government's intention to change that by increasing the maximum term of imprisonment for such breaches from two to seven years and providing a new civil monetary penalty regime. Under the new regime, OFSI can impose a monetary penalty of up to £1 million on a person if it is satisfied that, on the lower civil standard of probabilities, the person breached or failed to comply with the UK financial sanctions regime.

When the breach or failure relates to particular funds or economic resources and it is possible to value them, the maximum fine permitted is the greater of either £1 million or 50 per cent of the estimated value of the funds or resources. As such, when it is possible to put a value on the breach, the fine could well be significantly in excess of £1 million. This combined with additional provisions permitting such breaches to be dealt with by means of a DPA and the establishment in March 2016 of OFSI, a body dedicated to the implementation and enforcement of financial sanctions, suggests that the coming year may see increased enforcement action for breach of financial sanctions.

It is clear that the investigation and prosecution of corporate wrongdoing has gained significant momentum in the United Kingdom in recent years. There is significant appetite to continue to clamp down hard on economic crime through legislative means and the provision of additional enforcement tools to UK prosecutors. Whether the pertinent UK authorities can continue to build on that momentum will be one of the stories to follow over the next year or two.

1 Jeff Cottle and John Rupp are partners and Alex Melia and Peter Ibrahim are associates at Steptoe & Johnson UK LLP.

2 Tchenguiz v. Serious Fraud Office [2012] EWHC 2254 (Admin) dealt with the execution of a search warrant on the business premises of prominent UK businessmen Robert and Vincent Tchenguiz for documents pertaining to the collapse of the Icelandic bank Kaupthing. The High Court held in the foregoing case that the SFO search had been unlawful because the SFO had obtained the underlying warrant through misrepresentation and that the SFO had failed to disclose salient facts to the judge who had issued the warrant.

3 Unaenergy Group Holding Pte Ltd & Ors, R (On the Application Of) v. The Director of the Serious Fraud Office [2017] EWHC 600 (Admin). The High Court expressed reluctance in the foregoing case to permit challenges to the conduct of enforcement agencies, such as the SFO, acting in good faith to investigate serious criminality.

4 Soma Oil And Gas Ltd, R (On the Application Of) v. Director of the Serious Fraud Office [2016] EWHC 2471 (Admin).

5 As amended by the Enterprise and Regulatory Reform Act 2013.

6 Section 19 of the FSMA makes it a criminal offence to carry out any regulated activities in the UK without prior authorisation from the FCA.

7 As amended by the Finance Act 2007.

8 See www.cps.gov.uk/publications/code_for_crown_prosecutors/.

9 While the CMA does carry out both civil and criminal investigations, only individuals may be prosecuted for the criminal cartel offence. Corporates are only liable to financial penalties.

10 See the Joint Guidance on Corporate Prosecutions issued by the Director of Public Prosecutions, the Director of the SFO and the Director of the Revenue and Customs Prosecutions Office (www.sfo.gov.uk/ publications/guidance-policy-and-protocols/corporate-self-reporting/).

11 [2016] Lloyd's Rep. F.C. 102 and [2016] Lloyd's Rep. F.C. 91.

12 See www.sfo.gov.uk/cases/sweett-group/.

13 See www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/.

14 See www.sfo.gov.uk/2017/01/17/sfo-completes-497-25m-deferred-prosecution-agreement-rolls-royce-plc/.

15 See http://globalinvestigationsreview.com/article/1080345/david-green-rolls-royce-deserved-dpa-despite-not-self-reporting.

16 See Principle 11 of the FCA Principles for Businesses at PRIN 2.1 of the FCA Handbook (www.handbook.fca.org.uk/handbook/PRIN/2/1.html).

17 See FG15/8: The FCA's concurrent competition enforcement powers for the provision of financial services (www.fca.org.uk/static/documents/finalised-guidance/fg15-08.pdf).

18 See speech by Jamie Symington, the FCA Director of Enforcement (Wholesale, Unauthorised Business and Intelligence), 5 November 2015 (www.fca.org.uk/news/speeches/internal-investigations-by-firms-#).

19 See www.fca.org.uk/news/deutsche-bank-fined-by-fca-for-libor-and-euribor-failings.

20 See www.fca.org.uk/news/press-releases/fca-imposes-penalties-sonali-bank-uk-limited-money-laundering.

21 See speech by Ben Morgan, Joint Head of Bribery, 20 May 2015 at the Global Anti-Corruption and Compliance in Mining Conference 2015 (www.sfo.gov.uk/2015/05/20/compliance-and-cooperation/).

22 See speech by Matthew Wagstaff, Joint Head of Bribery, 18 May 2016 at the 11th Annual Information Management, Investigations Compliance eDiscovery Conference (www.sfo.gov.uk/2016/05/18/role-remit-sfo/).

23 See FCA Handbook, Enforcement Guide 3.11 (www.handbook.fca.org.uk/handbook/EG/PDF/Archive/?view=chapter).

24 [2017] EWHC 1017 (QB).

25 Max Walters, Erosion of Privilege Lambasted by Society, The Law Society Gazette, (15 May 2017).

26 See July 2013 OFT Guidance, adopted by the CMA, on Applications for leniency and no-action in cartel cases (www.gov.uk/government/uploads/system/uploads/attachment_data/file/284417/OFT1495.pdf).

27 The FCA published new rules in relation to whistle-blowing on 7 July 2015 requiring certain regulated firms to implement procedures for handling whistle-blowing disclosures as well as a senior manager as their whistle-blowing champion (see www.fca.org.uk/news/fca-introduces-new-rules-on-whistle-blowing).

28 See www.fca.org.uk/publication/financial-incentives-for-whistleblowers.pdf.

29 See www.gov.uk/government/uploads/system/uploads/attachment_data/file/323399/bis-14-914-whistleblowing-framework-call-for-evidence-government-response.pdf.

30 Tesco v. Supermarkets Ltd v. Nattrass [1972] AC 153.

31 The Director of Public Prosecutions stated ‘the law on corporate liability in the United Kingdom makes it difficult to prove that a company is criminally liable if it benefits from the criminal activity of an employee, conducted during their employment' (www.cps.gov.uk/news/latest_news/no_further_action_to_be_taken_in_operations_weeting_or_golding).

32 See www.acfe.com/article.aspx?id=4294980221.

33 [2015] EWHC 865 (Admin).

34 See PACE Code C, paragraph 6 (www.gov.uk/government/uploads/system/uploads/attachment_data/file/364707/PaceCodeC2014.pdf).

35 FCA fines totalled £1,471,431,800 in 2014 and £905,219,078 in 2015.

36 As amended by the Financial Services Act 2012.

37 See DEPP 6.1 (www.handbook.fca.org.uk/handbook/DEPP/6/?view=chapter).

38 Historically, settlement took place informally. Section 42 of the Enterprise and Regulatory Reform Act 2013, however, introduced a formal settlement procedure.

39 Sections 31E and 34 of the CA98.

40 Sections 32 and 33 of the CA98.

41 Pursuant to the Competition Act 1998 (Determination of Turnover for Penalties) (Amendment) Order 2004 (SI 1259/2004).

42 As set out in Section 188 of the Enterprise Act 2002.

43 Pursuant to Schedule 17 of the Crime and Courts Act 2013.

44 See www.sfo.gov.uk/2017/04/10/sfo-agrees-deferred-prosecution-agreement-with-tesco.

45 See Section 2.1 of the Joint SFO and CPS Deferred Prosecution Agreements Code of Practice (www.sfo.gov.uk/publications/guidance-policy-and-protocols/deferred-prosecution-agreements).

46 See Section 2.8 of the Joint SFO and CPS Deferred Prosecution Agreements Code of Practice.

47 See Regulation 57 of The Public Contracts Regulations 2015 (www.legislation.gov.uk/uksi/2015/102/regulation/57/made).

48 See Code of Practice 8 in relation to specialist investigations (fraud and bespoke avoidance) and Code of Practice in relation to HM Revenue & Customs investigations ‘where we suspect fraud'.

49 See the Bribery Act 2010: Guidance about procedures that relevant commercial organisations can put in place to prevent persons associated with them from bribing (Section 9 of the Bribery Act 2010) (www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf).

50 The CMA has adopted the OFT's guidance on penalties (see www.gov.uk/government/ uploads/system/uploads/attachment_data/file/284393/oft423.pdf).

51 See SYSC 3.2.6R and SYSC 6.1.1R of the FCA Handbook (www.handbook.fca.org.uk/handbook/SYSC/).

52 In November 2015, the FCA fined Barclays Bank £72.6 million for failing to minimise the risk of being used to facilitate financial crime. In doing so, the FCA found that the bank had arranged and executed a £1.88 billion transaction for numerous ultra-high net worth politically exposed persons without conducting adequate due diligence or establishing the purpose and nature of the transaction. Importantly, the FCA did not find that the funds at issue had been produced, in whole or in part, by underlying criminal activity. The FCA nonetheless fined Barclays Bank for regulatory failings (see www.fca.org.uk/your-fca/documents/final-notices/2015/barclays-bank-plc-nov-2015).

53 See CPS Guidance on Corporate Prosecutions (www.cps.gov.uk/legal/a_to_c/corporate_prosecutions/).

54 Part 1 of the CJA93 applies to the sections of the Theft Act 1968 that have not been repealed.

55 Part III of the CFA.

56 So far, the Commission has recognised the following as providing adequate protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, New Zealand, Switzerland and Uruguay (see http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en. htm).

57 Case C-362/14.

58 See http://curia.europa.eu/juris/fiche.jsf?id=T%3B670%3B16%3BRD%3B1%3BP%3B1%3BT2016%2F0670%2FP&pro=&lgrec=en&nat=or&oqp=&dates=&lg=&language=en&jur=C%2CT%2CF&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&num=T-670%252F16&td=%3BALL&pcs=Oor&avg=&mat=or&jge=&for=&cid=802267.

59 See www.europarl.europa.eu/news/en/news-room/20170329IPR69067/data-privacy-shield-meps-alarmed

60 [2016] EWHC 3161 (Ch) (8 December 2016).

61 Three Rivers District Council and Others v. The Governor and Company of the Bank of England [2003] EWCA Civ 474.

62 See the Sentencing Council's Definitive Guideline on Fraud, Bribery and Money Laundering Offences (www.sentencingcouncil.org.uk/wp-content/uploads/Fraud_bribery_and_money_laundering_offences -_Definitive_guideline.pdf).

63 www.legislation.gov.uk/ukpga/2017/3/contents/enacted/data.htm.