i introduction

The law on corporate prosecutions in England and Wales has historically made it difficult to hold entities to account for the actions of their employees. This led to a relatively low prioritisation of corporate investigations. This position has evolved during the last decade owing to a combination of changes in some areas of criminal law2 and increasingly aggressive enforcement in sectors such as financial services, in part driven by increasing public demands for corporate accountability.

Several bodies have responsibility for various aspects of corporate investigations:

  1. the Serious Fraud Office (SFO) investigates and prosecutes the most serious cases of fraud and economic crimes in the United Kingdom. This includes lead-agency responsibility for enforcing the Bribery Act 2010 (BA 2010);3
  2. the Competition and Markets Authority (CMA) is the main competition regulator and is responsible for enforcing the Competition Act 1998 (CA 1998) and Articles 101 and 102 of the Treaty on the Functioning of the European Union;4
  3. the Financial Conduct Authority (FCA) is both a prosecuting body and the regulator of financial institutions, with responsibility for maintaining the integrity of the UK financial markets, including the investigation of financial sector crimes, such as market abuse and insider dealing;5
  4. Her Majesty's Revenue and Customs (HMRC) investigates tax and revenue-related offences with wide-ranging civil and criminal investigatory powers;6
  5. the Office of Financial Sanctions Implementation (OFSI) implements the UK sanctions regime;7
  6. the National Crime Agency, which includes the National Economic Crime Centre (NECC),8 coordinates and assists the work of the other agencies and the police in the investigation and prosecution of economic crime; and
  7. the Crown Prosecution Service (CPS) prosecutes on behalf of HMRC and the CMA (who have only investigatory powers and no prosecuting authority).9

These bodies have distinct remits, but with some overlap, and a range of powers to enforce the legislation within that remit. This includes the ability to execute search warrants and to file compulsory production notices for the production of documents. Some of these powers can only be exercised with a court order, some have to be exercised with the assistance of the police and others are wholly in the control of the agency themselves (subject to the statutory powers by which they are established).

The ability and extent of the powers to obtain material has been the subject of a number of important challenges through the courts in recent years, which will be discussed further below. Corporations are not permitted to withhold documents from the authorities on the grounds of client confidentiality and data privacy, and must hand over any materials requested by such notices and orders, save where legal privilege applies.10 It is a separate criminal offence in England and Wales not to comply with a lawful production order.

Another area of significant development in the law has been the introduction of deferred prosecution agreements (DPAs), which are available to prosecutors in both the CPS and the SFO. Under a DPA, corporations11 accused of certain criminal offences are permitted to enter into an agreement with the prosecutor to defer a prosecution (and, theoretically, avoid a prosecution altogether) if they fulfil the terms of an agreement approved by a judge. The agreement usually includes payment of a financial penalty, costs and compensation; implementation of, or improvement to, a compliance programme; and cooperation with ongoing investigations. So far, there have been four DPAs in the United Kingdom, although the regime has come under considerable criticism (see Section III.iv).

ii Conduct

i Self-reporting

A corporate's approach to self-reporting in England and Wales must be considered against a broad spectrum of factors, which include the nature of the issue, the prospect of enforcement activity, the benefits of cooperation with authorities, the industry sector in which the corporate operates and the supervisory regime applicable to the corporate. Although there is no obligation to self-report most criminal conduct, there are notable exceptions for those operating in regulated sectors such as financial services. The decision of whether to self-report will need to take into account this wide range of factors, as well as the possibility of enforcement actions in other jurisdictions (which will be subject to their own decision in respect of self-reporting) and will usually be taken with the assistance of legal counsel.

The FCA's principles of openness create an expectation that entities they regulate will self-report issues.12 The regulator has regularly made clear that it regards self-reporting to be a key part of the open and cooperative relationship it expects of its regulated entities.13 Within its guidance, the FCA mandates a large number of reporting requirements including reporting in relation to complaints,14 accounts15 and market abuse.16 The principle of openness has, on a number of occasions, been the basis for fining firms for failing to adequately self-report.

The CMA operates a more discretionary approach to self-reporting, but one based on an explicit framework for the recognition of reporting.17 The leniency programme is designed to encourage companies that have been involved in wrongdoing to proactively cooperate with the CMA. To encourage self-reporting, the CMA offers a sliding scale of leniency ranging from total immunity to reduced financial penalties, depending on the timing of the self-reporting.18 As with most self-reporting regimes, the earlier the report is made, the more lenient the authority will be.

Although not as structured as the CMA scheme, a similar incentive-based self-reporting principle is operated by the SFO and CPS. The SFO's policy on corporate self-reporting states that self-reporting will be a key factor in deciding whether to prosecute.19 The benefits of self-reporting have also been highlighted in the guidance provided for DPAs.20 Initially the SFO had indicated that only companies that self-reported would be eligible for a DPA, but both Rolls-Royce and Tesco have been able to secure DPAs without self-reporting.21 In the non-regulated sectors, the decision as to whether to self-report is a balance between a number of incentives and disincentives that require careful consideration.

An additional but discrete layer of strict self-reporting is required under the Proceeds of Crime Act 2002 (POCA). The POCA legislates for a number of criminal money laundering offences, including becoming concerned in an arrangement that the person knows or suspects facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person.22 Voluntary self-reporting through an authorised disclosure may be used as a defence to such an offence.23 Although self-reporting is not compulsory for non-regulated persons, it is a criminal offence for a regulated person who has reasonable grounds for knowing or suspecting that another person is engaged in money laundering, to fail to report such knowledge or suspicion.

ii Internal investigations

Internal investigations are increasingly used by both international and domestic companies as a way of mitigating risk as well as honouring regulatory obligations. It is no longer a viable option for a company to turn a blind eye to any allegations or suspicions that it receives about its business operations, and an internal investigation is a common first step in dealing with potential issues.

Preliminary or scoping interviews occur in the very early stages of investigations and are used to identify useful information and where further evidence might be located. Witness interviews form a crucial part of internal investigations. Importantly, these interviews may take place on the understanding between the interviewer and the employee that they are confidential and attract privilege.24 However, 'the law as it stands today is settled. Privilege does not apply to first interview notes': unless those notes contain privileged legal advice, privilege would apply.25

Authorities expect details of witness interviews to be provided to them. This expectation is set out in the form of speeches and guidelines as opposed to law. To gain the benefit of a DPA, the SFO has said it expects companies to cooperate and comply with Clause 2.8.2(i) of the Code of Practice on Deferred Prosecution Agreements (the DPA Code) by 'identifying relevant witnesses, disclosing their accounts and the documents shown to them and, “where practicable”, making witnesses available for interview when requested'.26

The SFO has taken an open approach in the past in relation to the detail it expects to be provided with witness interviews;27 however, it has made it clear that 'first accounts' are expected as part of any information given to the SFO. There does not appear to be a consistent practice in this regard, and the approach can vary case by case.28 Over the past five years, there has been a suggestion from the SFO that they are reluctant to see companies conducting internal investigations for fear of them 'trampling the crime scene',29 but under the new SFO director,30 there is some belief that this approach may be relaxed.

The FCA also takes a cautious approach to internal investigations and has noted a number of potential issues with internal investigations. These issues include poor communication with the FCA at the early stages of an investigation resulting in a report that is unhelpful for FCA purposes, or even the risk that a subsequent FCA investigation is prejudiced or hindered by a firm's own internal investigation.31

By contrast, the CMA's approach to self-reporting necessitates internal investigations, in particular the requirement for supporting evidence in claims for leniency; however, these internal investigations are required to be limited to what is strictly necessary to minimise the risk of 'tipping off' other parties to cartel activity. As part of the leniency application process, companies are required to take 'careful note' of all investigative actions and keep records until the conclusion of any related proceedings.32

One issue related to internal investigations that has received significant attention in the past few years is legal professional privilege. In England and Wales, internal legal counsel attract the same legal privilege as external counsel, so one of the advantages of instructing external counsel may not exist compared to other jurisdictions. The extent of that privilege has been the subject of judicial decision in Director of the SFO v Eurasian Natural Resources Corporation Limited [2018] EWCA Civ 2006 (ENRC), where the Court of Appeal reversed the first-instance decision33 in which the High Court agreed with the SFO's view that litigation and legal advice privilege did not apply in the context of documents that were generated during an investigation by forensic accountants and lawyers (see Section IV.iii).

In most internal investigations, employees will not receive their own independent legal advice. This is because the interviews are simply part of a fact-finding investigation and the employee is not treated as a suspect. In these circumstances, cooperation between employees and their companies will be in both parties' shared interests. At the outset of any fact-finding interview, the individual must be advised that the lawyers representing him or her are the company's lawyers and that the company holds the privilege.34

However, in some circumstances, independent legal representation for the employee may be either necessary or desirable, for example, if the employee is a suspect, or risks incriminating themselves or admitting regulatory breaches, or has the potential to create a liability for the employer. In these circumstances there may be a conflict between the best interests of the employee and their employer and independent legal advice would be appropriate.

iii Whistle-blowers35

There is protection for whistle-blowers set out in the Public Interest Disclosure Act 1998 (PIDA). The PIDA has a significantly broader definition of 'worker' than the Employment Rights Act 1996, which includes employees, employee shareholders and agency workers.36 Should an employer dismiss a worker for the reason (or principal reason) that the employee made a 'protected disclosure', this dismissal will automatically be unfair. Further, if an employer subjects an employee to any detriment for reason that he or she made a protected disclosure then they could also have a distinct claim for detriment up to the date the employee was dismissed. Detriment can include damaged career prospects, dock of pay or loss of work and disciplinary action. The tests for qualifying for protection are:37

  1. Was the disclosure a qualifying disclosure?
  2. Has the worker made a disclosure of information?
  3. Did the subject matter of the disclosure relate to one of the types of 'relevant failure'?
  4. Did the worker have a reasonable belief that the information shows that one of the six relevant behaviours has occurred?
  5. Did the worker have a reasonable belief that the disclosure was in the public interest (not applicable to disclosures made before 25 June 2013)?38
  6. Was the disclosure a protected disclosure?

In March 2019, the former Prime Minister Theresa May announced that the government would be bringing in changes to the operation of non-disclosure agreements, particularly those that operate between employees and employers. One of the stated motivations for the changes is to give whistle-blowers additional protections and to ensure individuals are not put off from reporting their concerns to the appropriate enforcement agencies.

In April 2019 the EU Parliament approved a new law that will grant greater protections to individuals who report any breach of EU law.39 This is the first time that whistle-blowers will have EU-wide protection, although the proposals note that the United Kingdom was one of the Member States that already had a comprehensive regime in place. It is expected that EU ministers will approve the proposal and Member States will then have two years to comply. Given the United Kingdom's intended departure from the European Union the applicability of the proposals is uncertain; however, the United Kingdom may decide to mirror the directive, particularly given the importance of the protections for the financial services industry.

The financial services sector has developed a more rigorous whistle-blower regime than that which has nationwide application under the PIDA. There was a 24 per cent increase in the number of whistle-blowing reports to the FCA in 2018 compared with 2017. The current regime applies to around 8,000 companies but it is estimated this could increase to 55,000 companies by the end of 2019 once the regime is widened.

On 14 November 2018, the FCA published its research into the consequences of new whistle-blowing rules introduced on 7 September 2016. These rules can be found in the Senior Management Arrangements Systems and Controls 1840 and they require firms to:

have effective arrangements in place for employees to raise concerns, and to ensure these concerns are handled appropriately and confidentially. The requirement to appoint a whistle-blowers' champion is to ensure there is senior management oversight over the integrity, independence and effectiveness of the firm's arrangements.41

The Financial Reporting Council (FRC),42 which has responsibility for setting UK standards of corporate governance, includes, within the UK Corporate Governance Code 2018, a principle that '[t]here should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously'.43 This code, however, operates on a 'comply or explain' basis, so listed companies are not obliged to have a whistle-blowing policy in place, even if it is good practice.

Similarly, the Ministry of Justice (MOJ) suggests that having adequate whistle-blowing procedures44 may be an important part of asserting an 'adequate procedures' defence to the offence of failing to prevent bribery under Section 7 BA 2010 and the British Standards Institution outlines whistle-blowing procedures as part of its published standard for Anti-Bribery Management Systems.45

Currently, there are no monetary incentives in England and Wales for whistle-blowers to come forward. The Home Office has previously considered introducing financial incentives for whistle-blowers who come forward on matters of 'fraud, bribery and corruption';46 however, research from various groups including the FCA and the Prudential Regulatory Authority (PRA) concluded that providing financial 'incentives' would not in fact encourage whistle-blowing.47

iii Enforcement

i Corporate liability

The case law on civil vicarious liability is voluminous. In general, a corporate employer is vicariously liable for the acts of its employees where it would be fair and just to hold the employer vicariously liable. If the employees' acts are within the ordinary course of their employment, this will usually be sufficient.

Corporate criminal liability is normally only relevant, however, where a criminal offence imposes strict liability and the state of mind of the company (acting through its employee) does not need to be established. In addition, there is a growing number of statutory offences that create a corporate liability, such as the offence of 'failing to prevent bribery' under Section 7 of the BA 2010, which is discussed further below.

Companies will only be liable for offences requiring proof of a criminal state of mind by application of the 'identification principle'. The identification principle imputes the acts and state of mind of the individuals who represent the 'directing mind and will' of the company. This is much more narrow than the basis of attribution in the United States, for instance, where a company can be liable for the actions of its agents and employees when they act within the scope of their employment and at least in part to benefit the company (which is more akin to the basis for civil liability in England and Wales).

The leading case of Tesco Supermarkets v Nattrass [1972] AC 153 defines the 'directing mind and will' of the company as the directors and, in certain circumstances, other senior officers of the company who carry out management functions and speak and act as the company. The test of attribution may also be met if the directors have delegated part of their management functions.48 This has historically been very difficult to prove against companies and this has only got more difficult as complex corporate structures become a common feature in UK corporate bodies.

The BA 2010 introduced a new approach to establishing corporate criminal liability in the United Kingdom. It legislates for bribery offences committed in the United Kingdom and abroad by individuals and companies. Section 7 of the BA 2010 creates the offence of 'failure to prevent bribery', which can be committed by a corporate entity only. It first requires that a person associated with the company has committed an offence under Sections 1 or 6 of the BA 2010 and that there are no applicable defences (as discussed in the next section), or would have done if they were within the territorial scope of the BA 2010. A person is 'associated with' the company if they perform services for or on behalf of the organisation in any capacity. This is, therefore, not confined to employees but also covers agents such as independent contractors.

Second, Section 7 of the BA 2010 requires that the person who committed the offence to have intended either to obtain or retain business or an advantage in the conduct of business for the company. Knowledge on behalf of the company is not required. Section 7 of the BA 2010 has a broad territorial scope and applies not only to UK-incorporated companies but also those that carry on a business or part of a business in the United Kingdom.

ii Penalties

The approach to sanctions against businesses for corporate misconduct has shifted in recent years. Corporations considered liable of corporate misconduct can suffer a penalty ranging from a minor fine to a substantial financial penalty and severe criminal consequences from a selection of prosecuting bodies.

The Financial Services and Markets Act 2000 (FSMA) grants the FCA the power to impose a variety of sanctions ranging from public censure to the revocation of FCA authorisations and large regulatory fines.49 There have been a number of notable fines associated with reporting failures in 2019.50 FSMA also grants the FCA the power to bring criminal prosecutions for the purpose of tackling financial crime such as investigations for insider dealing pursuant to the Criminal Justice Act 1993 and breaches of the recently enacted Sanctions and Anti-Money Laundering Act 2018. The FCA's Decision Procedure and Penalties Manual sets out a non-exhaustive list of the factors that the FCA considers before issuing a penalty, which includes looking at the nature, seriousness and impact of the suspected breach, the conduct after the breach and previous disciplinary record and compliance history of the person in question. The FCA will also consider 'the full circumstances of each case' when determining whether to impose a penalty.51

The CMA also has a range of criminal and civil powers afforded to it under legislation with regard to competition law infringements. The CMA can impose fines for breach of the CA 1998 if the CMA is satisfied an infringement has either been intentionally or negligently committed.52 The most notable fine that the CMA can impose is an amount of up to 10 per cent of a firm's worldwide turnover in the business year that proceeds the date of the CMA's decision.53

The CMA can also impose settlement and the making of commitments.54 Settlement allows early resolution of investigations by way of a voluntary process where a business under investigation by the CMA for a breach of competition law admits a breach and accepts a streamlined version of the process that will govern the remainder of the CMA investigation. In return for its cooperation and an admission of wrongdoing, the business will gain a reduction in any financial penalty that the CMA imposes. Commitments and directions in relation to the settlement are agreed between the CMA and the firm and the courts have the power to enforce them in the event of non-compliance.

The SFO has the power to prosecute in cases involving serious or complex fraud, bribery and corruption. Alternatively, the SFO may consider inviting a company to enter into a DPA. DPAs were introduced in the United Kingdom in 2014 as a discretionary tool for use by the SFO that enables prosecutors to enter into agreements with the offending corporation to suspend prosecution for a defined period of time so long as specified conditions are met by the business during the suspension period.55 DPAs are supervised by a judge and governed by the DPA Code published by the SFO and the CPS, which states that the SFO's role is as a prosecutorial authority and that DPAs are for use only in exceptional circumstances.56

Corporate tax offences are resolved primarily by means of a civil resolution by HMRC. It is possible that corporate tax offences will lead to criminal charges in the circumstances of corruption or links to wider criminal offences either in the United Kingdom or overseas.

If a corporation breaches any UK or international sanction, a distinct Treasury unit, the OFSI, is the competent authority for the implementation of penalties, including financial penalties under the Policing and Crime Act 2017. The maximum penalty that the OFSI can impose will be the greater of £1 million or 50 per cent of the value of the breach.57

Individuals prosecuted by these agencies can be ordered to pay fines, compensation and court costs and may receive prison sentences if the offences are serious enough. In addition, individuals may be disqualified from holding directorships in the United Kingdom.

iii Compliance programmes

Both the CMA and the FCA publish a variety of documents to assist companies in meeting their compliance obligations, including annual plans and a great deal of guidance in the run up to the United Kingdom's planned departure from the EU.

As described above, the BA 2010 provides a defence to the Section 7 offence, if a commercial organisation can show on the balance of probabilities that it had in place 'adequate procedures' designed to prevent bribery.

The MOJ has provided guidance on what constitutes 'adequate procedures' for the purposes of the defence. It sets out six principles to provide businesses with guidance in establishing and maintaining a compliant anti-bribery regime. The principles are:

  1. proportionate procedures;
  2. top-level commitment;
  3. risk assessment;
  4. due diligence;
  5. communication; and
  6. monitoring and review.58

The guidance is clear that it is not enough for a company to have a suite of policies, the culture of compliance and regular training will also be an important part of determining whether procedures will be considered adequate.

The Section 7(2) of the BA 2010 'adequate procedures' defence was tested for the first time in the case of R v. Skansen Interiors Limited (unreported). The case concerned two bribes that had been paid to a project manager managing the tender for an office refurbishment by Skansen Interiors Limited (SIL), a small refurbishment company. When a new chief executive officer took over at SIL and learned about the payments that had been made, he initiated an internal investigation and established an anti-bribery and corruption policy. SIL then submitted a suspicious activity report to the NCA.

The question for the jury was whether SIL had adequate procedures in place. SIL argued, among other things, that: its policies and procedures were proportionate to its size – it was a very small business operating out of a single open-plan office; its business was very localised, removing the need for more sophisticated controls; it was 'common sense' that employees should not pay bribes; the ethos of the company was one of honesty and integrity; and a company of its size did not need a more formal policy. The jury did not agree and returned a guilty verdict.

A similar offence to the Section 7 of the BA 2010 offence exists in Sections 44 and 45 of the Criminal Finances Act 2017 (CFA) in relation to the failure by a company to prevent a tax evasion offence by an associated person, which include a similar 'reasonable procedures' defence.

iv Prosecution of individuals

The CPS and the SFO look to prosecute individuals for financial crime, but recently there has been increased attention on the SFO's (failed) prosecutions of individuals connected to corporations. In particular, when a business is prosecuted within England and Wales, enforcement action will usually be taken against individuals involved. Guidance states that the prosecution of a company should not be seen as a substitute for the prosecution of criminally culpable individuals such as directors, officers, employees or shareholders of the offending company.59 The prosecution of individuals in circumstances involving corporate misconduct is viewed as essential in providing a strong deterrent against future corporate wrongdoing.60

When proceedings or enforcement action is launched against individuals, the company involved must be conscious of its obligations towards its employees. Often, the corporates will suspend the individuals suspected of wrongdoing for the duration of any investigations; however, any suspension must be deemed to be fair and reasonable. Individual employees may be entitled to further assistance from their employer company by means of assistance with legal fees in the event of any investigations, although there is no statutory requirement for this currently. Alternatively, some employees may be entitled to some form of officer liability insurance, which can provide cover for the duration of any investigations or trial. Given the scale and cost of government investigations to date, this has become the norm in larger companies.

In February 2019, two years after the Rolls-Royce DPA was secured (with the company paying £497.25 million), Lisa Osofsky announced that senior employees from the company would not be prosecuted because of 'insufficient evidence' and because such a prosecution was 'not in the public interest'.61 This announcement, which followed the collapse of the fraud trial against executives from Tesco before Christmas 2018, means that the SFO has so far failed to prosecute any individuals associated with DPAs. Sir John Royce, the judge in the last of these Tesco trials, went so far as to say that 'the prosecution case was so weak that it should not be left for a jury's consideration'.

It appears unjust that the Tesco DPA's statement of facts can assert that the three former executives were 'aware of and dishonestly perpetuated the misstatement [of figures] . . . thereby falsifying or concurring in the falsification of accounts or records' 62 and yet, when these assertions are tested in criminal court, they collapse, leaving the individuals with limited options for relief or recourse. The lawyers who defended John Scouler, former food commercial director at Tesco, noted: 'despite his acquittal, Mr Scouler finds himself labelled as culpable in a private agreement, but one which is now made public, which the SFO concluded with Tesco before the SFO's evidence was heard'.63 It remains to be seen how the SFO considers the need for actual convictions as part of the consideration for granting a DPA moving forward.

Although there have not been any successful prosecutions of individuals associated with DPAs, the SFO has been successful in prosecuting some individuals, most notably in connection with London Interbank Offered Rate or Libor rigging. In early 2019, the SFO secured the conviction (and imprisonment) of two former bankers in association with Euribor rigging.64 While there has been an increasing interest in the ability of the authorities to pursue cases against companies, the prosecution of individuals has continued to represent the greater part of the prosecutor's activities, including significant financial penalties and prison sentences. Recent legislative changes have made it easier for the authorities in the United Kingdom to prosecute companies, but these authorities all remain committed to the investigation and punishment of individuals.

iv International

i Extraterritorial jurisdiction

Any departure from the general presumption against the creation of extra-territorial liability must be expressly provided by the legislature;65 below is an overview of key examples of pieces of UK legislation containing corporate offence provisions with extra-territorial reach.

The BA 2010 has a wide territorial remit, covering offences that take place in the United Kingdom or overseas as long as the company is either a UK company or has operations in the United Kingdom. In particular, Section 7 of the BA 2010 applies to any 'relevant commercial organisation' that Section 7(5) of the BA 2010 defines as:

  1. a body incorporated under the law of any part of the United Kingdom and that carries on a business (whether there or elsewhere), or any other body corporate (wherever incorporated) that carries on a business, or part of a business, in any part of the United Kingdom; or
  2. a partnership formed under the law of any part of the United Kingdom and that carries on a business (whether there or elsewhere), or any other partnership (wherever formed) that carries on a business, or part of a business, in any part of the United Kingdom.

Among other laws, the POCA contains the United Kingdom's money laundering offences. Broadly speaking, the money laundering provisions aim to tackle the channels through which proceeds of criminal activity pass. In terms of jurisdictional reach, the location of the underlying criminal conduct is irrelevant; if the conduct would amount to a criminal offence in the United Kingdom had it occurred there, then it will fall within the ambit of the POCA, subject to very limited exceptions.66 In addition, UK nationals, living overseas, can also be prosecuted for money laundering offences committed outside the United Kingdom.

The most recent addition to the United Kingdom's extra-territorial offences was the failure to prevent the facilitation of tax evasion, introduced in September 2017, which applies to both domestic and overseas tax evasion. Under the CFA, companies are liable for the conduct of their associated persons who facilitate the evasion of either UK or overseas tax. For the UK tax evasion offence, the conduct can occur anywhere in the world; for the foreign tax evasion offence, the relevant body must either be incorporated in the United Kingdom, carry on business in the United Kingdom or the relevant conduct must have taken place in the United Kingdom. 'Relevant bodies' will be liable for failing to prevent the actions of their employees and other associated persons who criminally facilitate tax evasion.67 A 'relevant body' is a company or partnership, irrespective of jurisdiction of incorporation or formation.68 A 'person associated' with the relevant body is an employee, an agent or any other person performing services for or on behalf of that relevant body.69 To the extent the offence took place outside the jurisdiction, UK prosecutors need to prove the criminal standard that both the taxpayer and the associated person committed an offence. Like the corporate offence under the BA 2010, the CFA provides companies with a defence where they can show that they had in place 'reasonable procedures' to prevent the offending.

ii International cooperation

The UK authorities work with authorities in other jurisdictions in a variety of ways. Some 'formal' methods of cooperation are set out below, but it is not uncommon for international enforcement authorities to share information with their foreign counterparts through more informal channels of communication, relying on established relationships.70

Following the United Kingdom's decision to leave the European Union, there is a degree of uncertainty regarding the future framework for international cooperation between the United Kingdom and Europe. Presently, it is not clear how negotiations will affect mechanisms for European cooperation and what this will mean for the United Kingdom's access to EU criminal data bases and the operation of the European Arrest Warrant.

Information gateways have a statutory footing and provide means to enable certain authorities to share and supply information with each other internationally and domestically.

For instance, Section 68 of the Serious Crime Act 2015 permits public authorities to disclose information to other organisations to prevent fraud. Part XXIII of the FSMA allows for disclosure of information in order to enable the performance of a public function, and Part 9 of the Enterprise Act 2002 allows for the disclosure of information received by the CMA in certain circumstances, such as where it is disclosing that information to another authority for the purposes of criminal proceedings.

Typically, authorities may enter into memorandums of understanding (MOUs) with domestic and overseas authorities that have a similar remit. MOUs tend to explicitly set out available gateways that may be relied on and provide guidance as to how the information is transferred. For example, the PRA and FCA have entered into a number of MOUs with equivalent authorities in other jurisdictions, such as the MOU between the Dubai Financial Services Authority and the PRA, dated 12 June 2014,71 and the MOU between the US Commodity Futures Trading Commission and the FCA, dated 6 October 2016.72

Multilateral and bilateral mutual legal assistance (MLA) treaties are a form of cooperation between different countries that allow for the collecting and exchanging of information.73 Authorities may request and provide evidence located in one country to assist in criminal proceedings or investigations in another.74 The United Kingdom has signed a number of multilateral and bilateral MLA treaties, such as the bilateral agreement with the US in 1994.75

Cross-border criminal investigations often involve suspects that reside outside the jurisdiction where the investigation is being conducted. UK extradition is governed by the EU Framework Decision,76 implemented through the Extradition Act 2003.77 In the United Kingdom there are two forms of extradition: export extradition, which relates to a request by another state for the extradition of someone from the United Kingdom; and import extradition, which relates to a request to another state for the extradition of a person.78

There exist a number of bars to extradition, including the 'forum bar', which provides that extradition may be barred if it would not be in the interests of justice.79

iii Local law considerations

At the time of writing, the United Kingdom remains subject to the General Data Protection Regulation (GDPR).80 The GDPR has extra-territorial application to organisations that monitor behaviour of individuals that takes place within the European Union, or to organisations offering services or goods to individuals in the European Union.

The GDPR imposes strict data protection obligations and prohibits the transfer of personal data from the United Kingdom to a location outside the European Economic Area unless the recipient, jurisdiction or territory is able to ensure a UK-equivalent level of protection. As it stands, the European Commission has determined that only a few countries provide 'adequate' levels of protection, while many other countries, such as the United States, fall short of the standard. 81 This means organisations operating in the United Kingdom may be limited in their ability to transfer personal data into various non-EEA territories.

July 2016 saw the adoption of the EU–US privacy shield adequacy decision (the Privacy Shield).82 The Privacy Shield requires US companies to protect EU citizens' personal data in accordance with particular standards, for instance, limiting the conditions for onwards transfer of data to third parties, as well as transparency obligations on access by the US government.83 However, in a recent review carried out by the European Data Protection Board (EDPB), it was noted that areas requiring significant improvement remain, which the EDPB considers both the Commission and US authorities should address.84 Particular areas of concern include the absence of substantial checks, the application of Privacy Shield requirements regarding onward transfers and human resources data and processors.85

Legal professional privilege has been a heavily litigated issue in recent years. England and Wales recognises two forms of legal professional privilege in respect of legal advice provided by both in-house and external counsel:

  1. 'litigation privilege', which attaches to communications passing between a lawyer and a client, and also between a lawyer or client and a third party (such as a forensic accountant), for the sole or dominant purpose of preparing for adversarial litigation. The litigation can either be in progress or in contemplation; and
  2. 'legal advice privilege', which attaches to confidential communications passing between lawyer and a client for the purposes of giving or receiving legal advice. It will not usually apply to communications between a company and its own employees in the context of an investigation.

The meaning of 'client' was discussed in some detail in Three Rivers No. 5 [2003] EWCA Civ 474, yet the ratio of the case has been inconsistently understood. The concept of 'client' in a corporate context was recently considered again in The RBS Rights Issue Litigation, in which Hildyard J held that interview notes produced by lawyers during the course of an internal investigation were not protected by legal advice privilege.86 Hildyard J understood the Three Rivers No. 5 decision as establishing the principle that 'the client' for the purposes of a lawyer–client communication subject to legal advice privilege must be someone who is authorised to seek and receive legal advice.87

This approach was followed by Andrews J in the first-instance decision in ENRC.88 On appeal, the court held that whether Three Rivers No. 5 was correctly decided regarding the nature of a 'client' was a matter for determination by the Supreme Court.89 The court did indicate, however, that there was 'much force' in the submissions that, if Three Rivers No. 5 did lay down a restrictive interpretation of 'client', then it was wrongly decided.90 The court said that 'if, therefore, it had been open to us to depart from Three Rivers (No. 5), we would have been in favour of doing so'.91

The period of uncertainty following the first-instance decision in ENRC was ended by the Court of Appeal, which decided that the defendant could rely on litigation privilege as it was deemed that criminal legal proceedings were in reasonable contemplation at the time of the investigation. The SFO decided not to appeal the matter to the Supreme Court and so the scope of litigation and legal advice privilege in investigations is reserved for the time being.

v Year in review

In January 2019, Transparency International released its annual Corruption Perception Index, which saw the United Kingdom slip out of the top 10 for public sector transparency for the first time, with the head of Transparency International UK commenting that: 'A number of themes from this year's index will serve as an important warning to the UK against complacency in tackling corruption, not least with the prospect of post-Brexit pressure to lower standards.'92 While this slip is unlikely to be particularly troubling to UK business, the government and authorities will no doubt be alert to the perception that, although much has been done in recent years to bolster the United Kingdom's response to corruption and money laundering, there continue to be significant challenges in implementing the range of laws intended to combat economic crime and corporate misconduct.

The SFO has had a relatively quiet year, with mixed fortunes. It enters 2019 with a new director and general counsel93 who are looking to bring focus to new areas of the organisation. Osofsky said that one of her primary focuses would be a review, which she has indicated she will be conducting herself, of over 70 cases the SFO is currently looking at to see why charging decisions take so long. This priority is said to have contributed to the abandoning of investigations against GlaxoSmithKline and the individuals in the Rolls-Royce SFO investigation.

The recent apparent collapse of the Barclays trial is a blow for the SFO, coming soon after its failure to prosecute any individuals associated with the Tesco DPA. While those that deal with corporate criminal liability will continue to debate the ethics of a DPA without any individuals being found criminally liable, the first DPA, between the SFO and Standard Bank plc, came to a successful end in November 2018, which may give some hope that the regime has merit when properly considered and implemented. Standard Bank plc (now known as ICBC Standard Bank plc) met all of its obligations during the three years of its agreement, including the payment of over US$6 million in compensation.

The CFA brought in two particularly important changes to the economic crime regime: the first was a new offence of failing to prevent the facilitation of tax evasion (see Section IV.i), and the second was unexplained wealth orders, which essentially compel an individual who is either a politically exposed person or connected to a serious crime, to account for how he or she was able to obtain any property valued at over £50,000.94 A year on from their introduction, only one individual has been subjected to an unexplained wealth order, leading to criticism that the authorities have not made the most of this power given by the government in its efforts to make fighting economic crime a priority.

In March 2019, the House of Lords Select Committee on the BA 2010 published its post-legislative scrutiny report, which was roundly complimentary of the BA 2010, including evidence from Transparency International that the BA 2010 has 'set a new standard for business and governments globally'.95 The report did make some recommendations about how authorities could better use the act, including the MOJ providing clearer examples of legitimate corporate hospitality (something that companies have been concerned about since the act's introduction) and better training in anti-corruption issues for police forces.

The Department of Work and Pensions has also announced its intention to introduce legislation creating a criminal offence of recklessly or wilfully mishandling pension schemes. The offence will specifically focus on directors and has been prompted by the collapses of both BHS and Carillion, leaving thousands without pensions. The government has announced that directors would be sentenced to up to seven years imprisonment.

The Court of Appeal's overturning of some of the more limiting aspects in ENRC brought some comfort to corporations and investigations lawyers that privilege will apply to internal investigations, mindful of the limitations of the definition of 'client' and the importance of avoiding wholly factual interviews that may be disclosable.96 However, while the authorities may have lost that battle, the case of The Queen on the Application of KBR Inc v. The Director of the Serious Fraud Office [2018] EWHC 2368 (Admin), 6 September 2018 affirmed that Section 2 notices97 could be issued to non-UK companies as long as there was a 'sufficient connection' to the United Kingdom and, more interestingly, such notices could be extended to a non-UK companies' documents located outside of the United Kingdom.

Following the corporate collapse of Patisserie Valerie and Carillion, the CMA has announced an intention to review the auditing market in the United Kingdom, particularly the dominance of the big four accountancy firms. Auditing in the United Kingdom is regulated by the Financial Reporting Council, which has come under a lot of criticism for being toothless in comparison to its peer bodies. Whether these proposals will lead to an total overhaul remains to be seen and may depend on government appetite for change post Brexit.

vi Conclusions and outlook

Before Brexit, the UK government put considerable political effort into tackling corruption, introducing a wide range of relevant legislation. However, the fortunes of the investigatory and prosecuting bodies have been mixed and the SFO, which takes the majority of high-profile international cases, has suffered some difficult setbacks. It remains to be seen if the newly created NECC can help to coordinate and streamline the authorities' efforts to tackle economic crime.

It seems likely that Osofsky's commitment to expediting current cases could mean more DPAs, although there may be less of an incentive for companies to self-report given that it no longer appears to be a prerequisite.

With Brexit consuming the majority of political debate and blocking the opportunity for new legislative initiatives, the immediate outlook for the United Kingdom's economic crime agenda and its future relationship with overseas enforcement agencies remains uncertain.


1 Stuart Alford QC is a partner and Mair Williams and Harriet Slater are associates at Latham & Watkins LLP. The authors would like to acknowledge the kind assistance of their colleagues Sean Wells, Olivia Featherstone, Tom Watret, Katie Henshall and Tegan Creedy in the preparation of this chapter.

2 For instance, the Bribery Act 2010, which introduced a corporate offence of 'failure to prevent bribery'.

3 The SFO was created by and derives its investigatory powers from the Criminal Justice Act 1987 (CJA), which include powers to request the production of documents and the answering of questions.

4 The CMA's powers are largely drawn from the CA 1998 itself.

5 The FCA's investigatory powers are derived from the Financial Services and Markets Act 2000.

6 HMRC's investigatory powers are derived from the Finance Act 2009 (civil) and the Police and Criminal Evidence Act 1984 (criminal).

7 OFSI's powers come from the Policing and Crime Act 2017.

8 The NECC started operations on 31 October 2018.

9 The prosecuting powers of the CPS (and the SFO and FCA) are governed by the Code for Crown Prosecutors, which was updated in 2018 (available at: https://www.cps.gov.uk/sites/default/files/documents/publications/Code-for-Crown-Prosecutors-October-2018.pdf).

10 The state of the law of privilege in England and Wales has been in flux in recent years (see Section IV.iii).

11 DPAs are not available for individuals.

12 Principle 11: Relations with regulators, PRIN 2.1, the FCA Handbook (available at: https://www.handbook.fca.org.uk/handbook/PRIN/2/?view=chapter).

14 DISP 1.10, the FCA Handbook (available at: https://www.handbook.fca.org.uk/handbook/DISP/1/10.html).

15 SUP 16, the FCA Handbook (available at: https://www.handbook.fca.org.uk/handbook/SUP/16/?view=chapter).

16 MAR Schedule 2, the FCA Handbook (available at: https://www.handbook.fca.org.uk/handbook/MAR/Sch/2/2.html).

17 OFT and CMA Penalty Guidance and criminal immunity provided by Section 190(4) of the Enterprise Act 2002.

18 CMA, 18 April 2018, 'CMA's guidance as to the appropriate amount of a penalty' (available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/700576/final_guidance_penalties.pdf).

21 It was noted that without self-reporting, Rolls-Royce was only considered for a DPA because of its 'exemplary' cooperation (available at: https://globalinvestigationsreview.com/article/1138835/self-reporting-after-rolls-royce-is-it-worth-it).

22 Section 328(1), POCA.

23 e.g., Section 328(1), POCA.

25 R (on the application of AL) v Serious Fraud Office [2018] EWHC 856 (Admin).

26 Code of Practice on Deferred Prosecution Agreements (available at: https://www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf).

28 Speech by Alun Milford, then SFO General Counsel, at GIR London Live, on 27 April 2017 (reported by GIR on 27 April 2017) and Speech by Alun Milford, then SFO General Counsel, at the Cambridge Symposium on Economic Crime 2017, Jesus College, Cambridge.

29 ibid., and interview with The Times, published 27 August 2014, David Green QC, then director of the SFO (available at: https://www.thetimes.co.uk/article/fraud-office-attacks-flawed-crime-reports-jj6x827q5c6).

30 Lisa Osofsky took up the role of SFO director on 28 August 2018.

32 ibid., at p. 32.

33 Director of the SFO v Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 QB.

34 Similar to an Upjohn warning given in the United States.

35 This section deals with workplace-based whistle-blowing. The UK Code of Practice for Victims of Crime and the Witness Charter provides protection outside the context of the workplace for whistle-blowers.

36 Section 43K(1)(a)(ii)) PIDA.

37 IDS Employment Law Handbooks – Volume 14 – Whistleblowing at Work – Chapter 3 – Qualifying disclosures; Cavendish Munro Professional Risks Management Ltd v Geduld [2010] ICR 325, EAT; and Kilraine v London Borough of Wandsworth [2018] ICR 1850, CA.

38 Since June 2013, the disclosures no longer need to be made in good faith in order to be protected.

42 The FRC regulates the audit industry in the United Kingdom.

44 Ministry of Justice Guidance about procedures that relevant commercial organisations can put into place to prevent persons associated with them from bribing, at Paragraph 1.7.

48 Certain statutory offences may refine the general common law rule and specify different rules of attribution or require a different application of the rules in a particular case.

49 See FSMA.

50 FCA website, '2019 fines' (available at: https://www.fca.org.uk/news/news-stories/2019-fines).

51 FCA, The Decision Procedure and Penalties Manual, DEPP 6 (available at: https://www.handbook.fca.org.uk/handbook/DEPP.pdf).

52 CA 1998.

53 Section 36(8) of the CA 1998 and Section 4 of the CA 1998 (Determination of Turnover for Penalties) Order 2004, SI 2000/309.

54 Sections 31E and 34 of the CA 1998.

55 Deferred Prosecution Agreements – Code of Practice, the Crown Prosecution Service (available at: https://www.cps.gov.uk/publication/deferred-prosecution-agreements-code-practice).

56 Code of Practice on Deferred Prosecution Agreements (available at: https://www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf).

57 See Monetary Penalties for Breaches of Financial Sanctions Guidance, Office of Financial Sanctions Implementation HM Treasury.

59 The Crown Prosecution Service, 'Guidance on Corporate Prosecutions' (available at: https://www.cps.gov.uk/legal-guidance/corporate-prosecutions).

60 ibid.

65 ibid.

66 As confirmed by R v. Rogers [2014] EWCA Crim 1680.

67 The Law Society Practice Note, 4 January 2019 (available at: https://www.lawsociety.org.uk/support-services/advice/practice-notes/criminal-finances-act-2017/).

68 Sections 44(2) and (3) of the CFA.

69 Section 44(4) of the CFA.

70 'Enhancing international cooperation in the investigation of cross-border competition cases: tools and procedure', Note by the UNCTAD secretariat, 5-7 July 2017 and 'The serious business of fighting fraud', SFO Speeches, 19 January 2017.

74 ibid.

75 Treaty between the United States of America and the United Kingdom of Great Britain and Northern Ireland on Mutual Legal Assistance in Criminal Matters, signed at Washington, 6 January 1994.

76 2002/584/JHA.

77 Extradition Act 2003 (Designation of Part 1 Territories) Order (SI 2003/3333).

78 Parts 1 and 2 respectively of the Extradition Act 2003.

79 Sections 19B (Part 1 cases) and 83A (Part 2 cases), Extradition Act 2003; not in force in Scotland.

80 Regulation (EU) 2016/679.

81 Page 6, 'Data Privacy and Transfers in Cross-Border Investigations', The Investigations Review of the Americas 2019.

82 Page 1, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–US Privacy Shield, OJ L 207, 1 August 2016.

83 ibid.

84 European Data Protection Board EU-US Privacy Shield – Second Annual Joint Review, adopted on 22 January 2019.

85 Paragraph 26, P7, European Data Protection Board EU-US Privacy Shield – Second Annual Joint Review, adopted on 22 January 2019.

86 Re The RBS Rights Issue Litigation [2016] EWHC 3161.

87 ibid.

88 [2017] EWHC 1017 (QB).

89 [2018] EWCA Civ 2006, Paragraph 59.

90 ibid., Paragraph 124.

91 ibid., Paragraph 130.

93 Sara Lawson QC was appointed as general counsel in February 2019.

94 The specific terms of the unexplained wealth order will be determined in each case.

95 The Bribery Act 2010: post-legislative security (available at: https://publications.parliament.uk/pa/ld201719/ldselect/ldbribact/303/303.pdf).

96 In March 2019, ENRC filed a £70 million claim for damages.

97 Under the CJA.