I INTRODUCTION

Generally, Ireland is considered a low-risk economy and a secure place in which to do business. On 29 January 2019, Transparency International published its 2018 Corruption Perceptions Index, which measures the perceived levels of public sector corruption in 176 countries. In 2018, Ireland ranked 18th with a score of 73. According to the index, Ireland continues to be perceived as one of the least corrupt countries in the world. However, in spite of this, Ireland has been criticised following the financial crisis for its lack of enforcement in the areas of corporate governance and white-collar crime, and Transparency International's 2018 Progress Report assessing enforcement of the OECD's Anti-Bribery Convention ranked Ireland as conducting 'little or no enforcement' of the convention.

In November 2017, the Irish government published the Measures to Enhance Ireland's Corporate, Economic and Regulatory Framework, aimed at strengthening Ireland's response to corporate misconduct.2 The focus of the framework is combating white-collar crime and has been developed to augment the existing regulatory and legislative framework in the area of corporate, economic and regulatory crime. The measures are a further commitment by the government to ensure Ireland is a secure place in which to do business.3 Since their publication, a number of these measures have been introduced, such as the enactment of the Criminal Justice (Corruption Offences) Act 2018 on 30 July 2018, which effectively repealed and replaced the seven existing Prevention of Corruption Acts 1889 to 2010 with one statute.

In addition, the Law Reform Commission's Report on Regulatory Powers and Corporate Offences was published in October 2018, and this recommended a number of reforms, such as:

  1. the establishment of a sufficiently resourced and multidisciplinary statutory Corporate Crime Agency;
  2. the introduction of deferred prosecution agreements;
  3. a core set of regulatory powers for all regulators in the wider economic context, such as in competition law, communications regulation and health products regulation, including the power to impose administrative sanctions and compliance settlements; and
  4. a reformation of fraud offences to include liability for 'subjective recklessness'.

The Law Reform Commission also set out a number of recommendations for corporate offences that would clarify the circumstances in which a corporate body could be held criminally liable for systemic failures by its senior executives.

There has been a significant increase in regulatory oversight and enforcement in Ireland in recent years. The Irish Data Protection Commission (DPC) is now one of the best resourced data protection authorities in Europe, with huge investment in industry experts, and investigations launched into 17 multinational technology companies. The Central Bank, Ireland's primary financial services regulator, continues to take a strong line on the conduct and culture of the firms it regulates, promoting greater individual accountability and taking a strong line on enforcement. It has imposed 127 fines on regulated entities under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank since 2006 to over €70 million. The Office of the Director of Corporate Enforcement (ODCE) in Ireland has also recently launched a number of high-profile investigations into corporates for matters relating to corporate governance.

There are a number of bodies, regulatory and otherwise, empowered to investigate corporate conduct in Ireland, including:

  1. An Garda Síochána (the Irish police);
  2. the ODCE;
  3. the Office of the Revenue Commissioners (the Revenue Commissioners);
  4. the Central Bank; the Competition and Consumer Protection Commission (CCPC);
  5. the DPC;
  6. the Health and Safety Authority (HSA);
  7. the Commission for Communications Regulation (ComReg);
  8. Customs and Excise;
  9. the Criminal Assets Bureau;
  10. the Environmental Protection Agency;
  11. the Health Products Regulatory Authority;
  12. the Health Information and Quality Authority; and
  13. the Workplace Relations Commission.

Offences are either summary (minor) or indictable (serious). In general, regulatory bodies are authorised to prosecute summary offences. However, the Office of the Director of Public Prosecutions (DPP) is the relevant body for the prosecution of criminal offences on indictment. The DPP has no investigative function; the relevant regulatory or investigating body prepares a file and submits it to the DPP for consideration. It is then solely at the discretion of the DPP as to whether a case will be taken in respect of the suspected offence.

The investigation of criminal offences is primarily the function of the police. The police have a wide range of powers, which include:

  1. to approach any individuals and make reasonable enquiries to stop and search;
  2. to seize evidence;
  3. to enter and search premises; and
  4. to detain and arrest.

There are a number of specialist units that support the police with investigations into corporate misconduct, including the Garda National Economic Crime Bureau (GNECB), the Criminal Assets Bureau (CAB) and the Garda National Cyber Crime Bureau (GNCCB). The GNECB investigates economic crime, including fraud, CAB investigates the suspected proceeds of criminal conduct and the GNCCB is tasked with the forensic examination of electronic data seized during the course of criminal investigations in addition to conducting investigations into cyber crime or online offences.

Currently, the ODCE is afforded a wide range of investigative powers under the Companies Act 2014 and is responsible for the enforcement of company law, including:

  1. by way of fact-finding investigations;
  2. prosecutions for suspected breaches of company law;
  3. supervision of companies in official and voluntary liquidation and of unliquidated insolvent companies;
  4. restriction and disqualification of directors and other company officers;
  5. supervision of liquidators and receivers; and
  6. the regulation of undischarged bankrupts acting as company officers.

In respect of prosecution, the ODCE has the power to prosecute summary offences and to refer cases to the DPP for prosecution on indictment.4 However, under the General Scheme of the Companies (Corporate Enforcement Authority) Bill 2018, which was published in December 2018, it is proposed that the ODCE will be re-established as an agency, in the form of a commission, which will be known as the Corporate Enforcement Authority (CEA). The CEA will be established as an independent company law compliance and enforcement agency, and will have greater powers than the ODCE. The CEA will operate independently of any government department in order to provide more independence in addressing company law breaches. The establishment of the CEA is regarded as a fundamental element of the government's commitment to enhance Ireland's ability to combat white-collar crime.

The primary function of the CEA will be to encourage compliance with the Companies Act 2014. As such, its role will be to investigate instances of suspected offences or non-compliance with the Companies Act 2014. This may involve the appointment of inspectors, the commencement of criminal investigations and the resulting prosecution of summary offences, together with the civil enforcement of obligations, standards and procedures. The Bill also seeks to give the CEA new investigative tools. First, it provides for the admission of written statements into evidence in certain circumstances and will create a statutory exception to the rule against hearsay. Second, there is an enhanced power regarding the searching of electronically held evidence in that the CEA will be permitted to access data under the control of an entity or individual, regardless of where the data is stored and to access it using any means necessary to ensure best compliance with evidence rules and digital forensics principles.

The Central Bank also has investigatory and regulatory powers, including powers of inspection, entry, search and seizure, in respect of financial institutions under the Central Bank Act 1942, as amended. The Central Bank is responsible for regulating the financial services industry. Its enforcement work can be divided into two processes: an administrative sanctions procedure by which the Central Bank investigates breaches of financial services law by regulated firms and individuals; and a fitness and probity regime pursuant to which individuals in designated positions within regulated firms must be competent, capable, honest, ethical, of integrity and financially sound. The Central Bank's investigative powers include compelling the production of documents, compelling individuals to attend interviews and conducting on-site inspections. The Central Bank publishes its Strategic Plan every three years, which sets out its priorities for the next three-year period based on a set of strategic themes and their statutory and organisational objectives. In its current Strategic Plan 2019–2021, it lists the following themes as its strategic objectives: strengthening resilience; Brexit; strengthening consumer protection; engaging and influencing; and enhancing organisation capability.

The Revenue Commissioners is the government agency responsible for the assessment and collection of taxes. It also has investigative and prosecutorial powers to:

  1. enter and search premises;
  2. inspect goods and records;
  3. take samples;
  4. question individuals;
  5. remove and retain records;
  6. stop, search and detain vehicles;
  7. seize and detain goods and conveyances; and
  8. search and arrest individuals.

The investigation and prosecutions division is responsible for the development and implementation of policies, strategies and practices in relation to serious tax evasion and fraud offences. It has a wide range of powers, which include: to conduct civil investigations;5 to conduct investigations into trusts and offshore structures, funds and investments;6 and to obtain High Court orders.7 Of particular significance is the power to obtain information from financial institutions and procure search warrants to this effect.8

The CCPC is responsible for enforcing competition and consumer protection law, and holds extensive powers of investigation in relation to suspected breaches of competition and consumer protection law. The CCPC has powers of entry and search and seizure, including the power to search any premises used in connection with a company.9 Its search powers are not confined to a company's offices but extend to the homes of directors or employees. The CCPC's powers extend to compelling evidence and individuals, powers recently utilised during its ongoing investigation in the motor insurance sector in Ireland.

ComReg is responsible for the regulation of the telecommunications industry and is one of the more prolific regulatory enforcers in Ireland, with wide ranging powers of investigation, including powers to compel evidence, powers of entry and search and seizure, and the power to levy fines through applications to the Irish courts.

The regulatory body previously known as the Office of the Data Protection Commission is now known as the DPC under the Data Protection Act 2018. It is responsible for upholding the fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. If the DPC receives a complaint relating to a breach of data protection rights, it is obliged to investigate the alleged breach, though it will generally require the complainant to raise the matter directly with the organisation concerned in the first instance. Additionally, the DPC may investigate the unlawful processing of personal data and audit data processors of its own accord. The DPC secures compliance with data protection law through the exercise of its statutory powers, including the use of enforcement notices. It is an offence for a controller or processor to fail to comply with an enforcement notice without reasonable excuse. The HSA is responsible for ensuring that workers are protected from work-related injury and ill health by enforcing occupational health and safety law. The powers of the HSA include the right of entry, the right of inspection, the right to require the production of records, the right to require the provision of information, the right to take measurements and samples, and the right to require that machinery be dismantled.

The DPP was created by statute with the specific aim of maintaining prosecutorial independence. Section 6 of the Prosecution of Offences Act 1974 makes it an offence for persons (other than an accused, suspect, victim or person directly involved) to communicate with the DPP with a view to influencing a decision to commence or continue criminal proceedings. However, arguably there is a lack of transparency in relation to the decisions to prosecute, or not prosecute, particular crimes, as the DPP does not publish the reasons for a decision on prosecution. The DPP introduced a pilot scheme on 22 October 2008, under which the DPP will publish the reason for its decision not to prosecute in cases where an individual has died as a result of an alleged crime, including manslaughter and workplace death. For all decisions made on or after 16 November 2015, a victim can ask the DPP for a summary of the reasons for its decision.

Investigating authorities may request companies in Ireland to assist them in their investigations on a voluntary basis. There are specific provisions pursuant to which regulatory and law enforcement authorities can compel cooperation or participation of a company or individual; however, these provisions are often not exercised at least in the first instance. Companies and individuals should be cognisant of contractual obligations of confidentiality and the rights of privilege against self-incrimination if any such request is made by any regulatory or law enforcement authority.

II CONDUCT

i Self-reporting

There are a number of legislative provisions that impose a positive obligation on persons (including companies) to report wrongdoing in certain circumstances:

  1. Section 19 of the Criminal Justice Act 2011 (the 2011 Act) provides that a person is guilty of an offence if he or she fails to report information that they know or believe might be of material assistance in preventing the commission of, or securing the prosecution of, another person of certain listed offences, including many white-collar offences. The disclosure is required to be made as soon as is practicable. However, the person considering making the report may need to make enquiries to be satisfied that a report is justified. The applicable standard for what information meets the threshold of 'material assistance' in preventing the commission of, or securing the prosecution of, an offence has not yet been expanded on or tested before the Irish courts. However, in the recent Supreme Court decision of Sweeney v. Ireland,10 the court saw a challenge to the constitutionality of a nearly identical offence under Section 9(1) of the Offences Against the State (Amendment) Act 1998. The wording of Section 19(1)(b) of the 2011 Act is identical to that of Section 9(1)(b) of the 1998 Act except that the former applies to a 'relevant offence' and the latter applies to a 'serious offence'. In finding that the provision was sufficiently certain, the Supreme Court held that the 1998 Act was clear in what it obliges witnesses to do: to disclose information pertaining to serious offences which they know will aid in the prosecution of such an offence. The judgment also discussed the similar reporting obligation under Section 19 of the Criminal Justice Act 2011, among others, and while the Court noted that no comment has been made as to the constitutionality of such similar provisions, the decision provides clarification that such reporting obligations would likely withstand any legal challenge and thus, trigger criminal offences if not complied with.
  2. The relevant offences for the purposes of the 2011 Act are specified in Schedule 1 of the 2011 Act and include offences under the Criminal Justice (Corruption Offences) Act 2018. As a result, it imposes a mandatory obligation on both companies and individuals to report suspected instances of bribery and corruption. However, no specific statutory provision exists in Ireland providing for leniency where a company self-reports a corruption or bribery offence.
  3. Section 38(2)(a) of the Central Bank (Supervision and Enforcement) Act 2013 places an obligation on the senior personnel of a regulated financial services body to disclose to the CBI, as soon as is practicable, information relating to a suspicion of, or the commission of, an offence under financial services legislation.
  4. Section 42(1) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 provides that certain designated persons have an obligation to report any knowledge or suspicion that another person has been or is engaged in an offence of money laundering or terrorist financing to the police and the Revenue Commissioners.
  5. Section 59 of the Criminal Justice (Theft and Fraud Offences) Act 2001 obliges the auditor of a company to disclose to the police information of which the auditor may become aware in the course of his or her duties that suggests the commission by the company or entity of any offences under that Criminal Justice (Theft and Fraud Offences) Act 2001. This obligation is notwithstanding any professional obligations of privilege or confidentiality on the part of the auditor.
  6. Section 393 of the Companies Act 2014 places a duty on auditors to report to the ODCE where an auditor comes into possession of information that leads him or her to believe that a Category 1 or 2 offence may have been committed. The Companies Act 2014 sets out the different types of offences by categorising them from 1 to 4, with Category 1 being the most serious. Category 1 offences include offences such as false accounting and fraudulent trading. Category 2 offences range from financial assistance, dishonest dealings before a company becomes insolvent or goes into liquidation, failure to keep adequate accounting records, failure to communicate with and make full disclosure to statutory auditors and other similar offences.

Although, in practice, self-reporting may be a mitigating factor in prosecution or sentencing, immunity or leniency based on this conduct is rarely expressly afforded by legislation. However, the list of sanctioning factors set out in the CBI's Administrative Sanctions Procedure includes 'how quickly, effectively and completely the regulated entity brought the contravention to the attention of the CBI or any other relevant regulatory body'.11

The DPP has a general discretion whether to prosecute in any case having regard to public interest. Within that discretion is the power to grant immunity in any case. Any grant of immunity will generally be conditioned on the veracity of information provided and an agreement to give evidence in any prosecution against other bodies or individuals. There are no specific guidelines governing the granting of immunity in general. However, in the realm of competition law, the CCPC, in conjunction with the DPP, operates a Cartel Immunity Programme (CIP) in relation to breaches of the Competition Act 2002, as amended. Applications for immunity under the CIP are made to the CCPC. However, the decision to grant immunity is ultimately at the discretion of the DPP.

A person applying for immunity under the CIP must come forward as soon as possible, and must not alert any remaining members of the cartel to their application for immunity under the programme. Further, the applicant must not have incited any other party to enter or participate in the cartel prior to approaching the CCPC. It is important to note that immunity under the CIP is available only to the first member of a given cartel who satisfies these requirements.

Once an application for conditional immunity has been granted, a positive duty is imposed on the applicant to cooperate fully with the investigation, on a continuing basis and at no expense to the CCPC. In particular, the applicant must reveal all cartel offences in which he or she was involved and provide full disclosure in relation to same. If the applicant is a company or corporation, the application for immunity must be made by the company in its separate legal capacity. Failure to comply with the requirements set out in the CIP may result in conditional immunity being revoked by the DPP.

ii Internal investigations

There is generally no restriction on a company initiating an internal investigation, particularly in relation to suspected criminal conduct. The company is only under an obligation to share the results of an investigation with the relevant authorities where it is required under a court order, statute or self-reporting obligation (see Section II.i). In considering such matters, the advice of external legal counsel is usually engaged.

An internal investigation usually makes use of a wide range of evidence – hard-copy and electronic documentation, witness interviews, computer forensics and financial records are all open to an internal investigation.

There has been some clarification of issues surrounding fair procedures in recent case law. In Joyce v. Board of Management of Colaiste Iognáid, the High Court held that natural justice principles do not apply at the initial stages of an investigation, such as the initial consideration of an issue, but are engaged when formal proceedings from which findings may be drawn commence.12

If witness interviews are conducted, the employees in question have no statutory right to legal representation. However, if an employee or witness is, or may become, the subject of the investigation, the employer should consider advising the employee or witness to have legal representation to be sure of being afforded fair procedures rights and to prevent any later legal challenge to the investigation process. However, this should be assessed case by case.

Any requirement to disclose documents obtained through an internal investigation to the authorities is qualified by legal professional privilege. Documentation may attract legal professional privilege, either in the form of legal advice privilege or litigation privilege. Legal advice privilege protects from disclosure, any confidential communications between a lawyer and his or her client created for the purpose of seeking, giving or obtaining legal advice. In Miley v. Flood,13 the High Court confirmed that legal professional privilege can only be invoked in respect of legal advice and not in respect of legal assistance. Litigation privilege, which is broader than legal advice privilege, applies to confidential communications between a lawyer and a client, or one of them and a third party such as an expert, the dominant purpose of which is for use in contemplated or existing litigation.

In the recent decision in Re Sean Dunne (a bankrupt) v Yesreb Holding & anor: Celtic Trustees v Sean Dunne (a bankrupt),14 the Irish courts adopted a narrow view regarding the purpose for which a document was created during an investigation. The court found that litigation privilege did not attach to the transcript of an interview carried out by the official assignee with one of the vendors of a property that had been purchased by Sean Dunne, as the dominant purpose of the interview was for investigation rather than the conduct of litigation, though it was accepted that litigation was apprehended at the time of the interview. However, the refusal to recognise the transcript as privileged may have stemmed from the particular facts of the case and the fact the investigation was carried out under a statutory investigative order.

In another recent decision of the Irish High Court in Director of Corporate Enforcement v. Buckley,15 the Court affirmed the position that privilege can apply in the context of a regulatory investigation where expert input is sought and provided. In that case, the respondent resisted access to documents on the basis that they were legally privileged 'for the purpose of providing instructions and obtaining legal advice and also in contemplation / furtherance of litigation and an investigation' by the ODCE. The Court accepted the respondent's argument that electronic communications between a company director, his solicitor and an IT employee attaching a draft response to a request from the ODCE during the course of a statutory investigation were protected by privilege where the communication was issued 'for the purposes of advancing the respondent's draft statement and was sent on a confidential basis and without a waiver of privilege by the respondent'.

Privilege over any document is a right of the client, which he or she may choose to waive. In general, the disclosure of an otherwise privileged document to a third party will waive privilege. However, following the decision in Fyffes v. DCC,16 the courts will permit the disclosure of an otherwise privileged document to a third party for a limited and specified purpose without privilege being waived. In these circumstances, it is essential that the entity making the disclosure seeks assurances by way of a confidentiality agreement that the recipient will not disclose the privileged documents and will use them only for the specified and limited purpose for which they have been disclosed.

Therefore, in the context of regulatory investigations, legal professional privilege is relevant when considering the power of regulatory authorities to inspect documentation and compel the production of documents.

iii Whistle-blowers

The Protected Disclosures Act 2014 (the Protected Disclosures Act) is the key piece of legislation in relation to reporting suspicions of illegal activity. It is the first comprehensive piece of legislation governing whistle-blowing, where previously only piecemeal provisions existed. Public sector bodies must now put in place whistle-blowing policies that meet the requirements of the Protected Disclosures Act; and where private sector companies have policies in place, they must review them to ensure they are aligned to the provisions of the Protected Disclosures Act. The Industrial Relations Act 1990 (Code of Practice on Protected Disclosures Act 2014) (Declaration) Order 2015 (the Code of Practice) gives guidance on what should be contained in a whistle-blowing policy.

Part 3 of the Protected Disclosures Act sets out the protections offered to those who make protected disclosures. If a worker makes a protected disclosure, the employer in question may face liability for dismissing or penalising the worker, bringing an action for damages or an action arising under criminal law, or disclosing any information that might identify the person who made the disclosure. Further, the Protected Disclosures Act makes provision for a cause of action in tort for the worker for detriment suffered as a result of making a protected disclosure.

Section 5 of the Protected Disclosures Act defines a 'protected disclosure' as a disclosure of relevant information, made by a worker, which, in his or her reasonable belief, shows a 'relevant wrongdoing' and which came to his or her attention in the course of his or her employment. Section 5(3) of the Protected Disclosures Act defines a 'relevant wrongdoing' as:

  1. relating to the commission of an offence;
  2. non-compliance with a legal obligation (except one arising under the worker's employment contract);
  3. a miscarriage of justice;
  4. endangerment of health and safety;
  5. damage to the environment;
  6. misuse of public funds;
  7. mismanagement by a public body; or
  8. concealing or destroying information relating to any of the above.

The definition of 'worker' in Section 3 of the Protected Disclosures Act is also quite broad in its scope and covers employees (including temporary and former employees), interns, trainees, contractors, agency staff and consultants.

The Protected Disclosures Act also sets out a procedure for redress for a worker who makes a protected disclosure. If the matter is part of an unfair dismissals claim by the worker and an Adjudication Officer of the Workplace Relations Commission finds in favour of the worker, it can require the employer to take a specified course of action or require the employer to pay compensation of up to 260 weeks' remuneration to the worker.17

Save in respect of disclosures that involve the disclosure of trade secrets (see below), the motivation for making a disclosure is irrelevant and there is no obligation that such a disclosure must be made in the public interest. This provision aims to protect companies from malicious and ill-founded claims.

The Protected Disclosures Act closely reflects, and brings Ireland in line with, international best practice in the area. In achieving its principal aim of protecting those who make a protected disclosure from reprisal from their employers, it places a significant burden on employers in all sectors to ensure they have adequate policies in place and conform to their requirements.

It is worth noting that the European Parliament have agreed on a proposal for a directive that would provide minimum whistle-blowing protection standards across Europe. The standards proposed largely reflect those in place in Ireland already, but the most likely impact would be the potential broadening of the definition of what is a protected disclosure. The next step would be for the proposed directive to be approved by EU ministers. Implementing legislation would then be needed in Ireland. Member States will then have two years to comply with the directive.

In addition, a new EU wide directive concerning trade secrets (Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (the Trade Secrets Directive)) was given legal effect in Ireland in June 2018 by way of the European Union (Protection of Trade Secrets) Regulations 2018. The 2018 Regulations provide for civil redress measures and remedies if a trade secret is unlawfully acquired, used or disclosed, and stipulate that a whistle-blower must prove their motivation for revealing trade secrets as part of the protected disclosure where they decide to so. Before this amendment, the motivation of a whistle-blower was not relevant. Pursuant to the 2018 Regulations, whistle-blowers may be liable to a fine of €50,000 and a three-year custodial sentence for making a protected disclosure, using trade secrets, where the individual cannot prove that the disclosure was motivated by the protection of the general public interest.

III ENFORCEMENT

i Corporate liability

The Interpretation Act 2005 provides that in all Irish legislation, any reference to 'persons' includes references to companies and corporate entities. Therefore, a company can, in theory, be subject to criminal or civil liability in the same manner as an individual and can be liable for the conduct of its employees and officers. However, corporate liability has predominantly been restricted to offences where a fault element (mens rea) is not required, namely those of absolute, strict and vicarious liability. Many regulatory offences carrying corporate liability are established as such offences.

For example, Section 343(11) of the Companies Act 2014 imposes absolute liability in circumstances where a company fails to send its annual financial accounts to the Company Registrations Office, and provides that the company will be guilty of an offence. In contrast, Section 271 of the Companies Act 2014 provides that an officer of a company will be presumed to have permitted a default by the company, unless the officer can establish that he or she took all reasonable steps to prevent the default, or was unable to do so by reason of circumstances beyond his or her control. Under the recently enacted Criminal Justice (Corruption Offences Act) 2018 (the Corruption Offences Act), a company can be held liable for corrupt actions committed for its benefit by any director, manager, secretary, employee, agent or subsidiary, unless the company can demonstrate that it took 'all reasonable steps and exercised all due diligence' to avoid the offence being committed.

Additionally, the Competition Act 2002 imposes vicarious liability by providing, for the purposes of determining the liability of a company for anticompetitive practices or abuse of a dominant position, that the acts of an officer or employee of a company carried out for the purposes of, or in connection with, the business affairs of the company will be regarded as an act of the company.

While theoretically a company can be guilty of a mens rea offence, the means of attributing the acts of an employee to a company for the purposes of criminal liability is not settled in Irish law. The Irish and English courts have recognised two modes of importing direct liability to a company: the identification doctrine and the attribution doctrine. The former focuses on the extent to which the individual employee or officer who committed the offence represents the 'directing mind and will' of the company, thereby rendering the company criminally liable. The attribution doctrine, on the other hand, is not concerned with the individual's position in the company, but rather imposes a form of absolute liability on companies where their officers or employees commit offences in the course of, and connected with, their employment. While there is conflicting jurisprudence on the preferred approach, only the identification doctrine has been endorsed by the Irish Supreme Court,18 albeit in the context of the imposition of civil liability on a corporation. The uncertainty in this area about the correct test to apply to determine to criminal liability of a corporate has led the Law Reform Commission to make a number of recommendations for reform in this area in its 2018 Report on Regulatory Powers and Corporate Offences.

If it is proposed that companies and individuals would be represented by the same counsel, the rules governing conflicts of interest in the Solicitors' Code of Conduct would warrant consideration, which provides that: 'if a solicitor, acting with ordinary care, would give different advice to different clients about the same matter, there is a conflict of interest between the clients, and the solicitor should not act for both.' Each case will be different and will need to be considered on its own specific facts.

ii Penalties

Irish criminal legislation typically provides for monetary fines or terms of imprisonment for offences. Given the nature of corporate entities, the most common form of sanction against a corporate entity is a fine. However, while less common, legislation also provides for compensation orders19 (whereby the guilty party is required to pay compensation in respect of any personal injury or loss to any person resulting from the offence), adverse publicity orders20 (in the form of publication of the offence and the identity of the entity found guilty) and remedial orders21 (to undo the harm caused by the offence).

Another common sanction against directors of companies is a disqualification order. Under Section 839 of the Companies Act 2014, where a person has been convicted of an indictable offence in relation to a company, or convicted of an offence involving fraud or dishonesty, that person may not be appointed to, or act as, an auditor, director or other officer, receiver, liquidator or examiner or be in any way, whether directly or indirectly, concerned or take part in the promotion, formation or management of any company.

The CBI also operates the Administrative Sanctions Procedure pursuant to the Central Bank Act 1942, as amended. This legislation bestows a range of sanctions at the CBI's disposal. Part IIIC, as amended, sets out the powers of the CBI to impose sanctions in respect of the commission of prescribed contraventions by regulated financial services providers. The monetary penalty for financial institutions is an amount up to €10 million or 10 per cent of the annual turnover of the regulated financial service provider in the last financial year, whichever is the greater.22 As mentioned above, since 2006, the Central Bank has imposed 127 fines on regulated entities under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €70 million. The CBI has used these powers to reach settlements with financial institutions for regulatory breaches. In addition, the CBI has the power to suspend or revoke a regulated entity's authorisation in respect of one or more of its activities. The Law Reform Commission has recommended in its 2018 Report on Regulatory Powers and Corporate Offences that the Administrative Sanctions Procedure should, subject to some reforms, be extended to similarly situated financial and economic regulators.

A wide range of penalties exist under the Competition (Amendment) Act 2012. The maximum prison sentence for an offence relating to anticompetitive agreements, decisions and concerted practices is 10 years, and the maximum monetary penalty is a fine of €5 million or 10 per cent of turnover.23 Further, the Irish courts have jurisdiction under the Companies Act 2014 to disqualify an individual from acting as a director of a company if that individual is convicted of a competition offence on indictment.24

Under the Corruption Offences Act, if convicted, a company or an individual is liable to a fine of up to €5,000 on summary conviction or an unlimited fine on conviction on indictment.25 On conviction, an individual may also be liable to up to 12 months' imprisonment on summary conviction and up to 10 years' imprisonment on indictment, together with the forfeiture of any gift, consideration or advantage obtained in connection with the offence or property to the value of such gift, consideration or advantage.26 With regard to a public official, a court may order that they be removed from their public position.27 The court can also prohibit those convicted of corruption offences from seeking public appointment for up to 10 years.28

iii Compliance programmes

Compliance programmes are not generally provided for in legislation as a defence to criminal proceedings. The Corruption Offences Act was commenced on 30 July 2018, and is the principal statutory source of bribery law in Ireland repealing the Public Bodies Corrupt Practices Act 1889 and the Prevention of Corruption Act 1906–2010. The Corruption Offences Act has consolidated and modernised the Irish law in this area and is expected to have a significant impact on corporates operating in Ireland. A notable provision, similar to the content of Section 7 of the UK Bribery Act 2010, is Section 18(2) of the Corruption Offences Act, which provides that a company may be held liable for the corrupt actions committed for its benefit by any director, manager, secretary, employee, agent or subsidiary. The Corruption Offences Act contains an explicit defence for a company charged with an offence under Section 18 if it can show that the company took 'all reasonable steps and exercised all due diligence to avoid the commission of the offence'.

If a company is found guilty of an offence, a wide range of factors may be taken into account when sentencing and these are at the discretion of the court. Mitigating factors include whether the company ceased committing the criminal offence upon detection or whether there were further infringements or complaints after the offence was detected, whether remedial efforts to repair the damage caused were used by the company and whether the company itself reported the infringement before it was detected by the prosecuting authority. Additionally, in imposing any sentence, the court must comply with the principle of proportionality as set out in People (DPP) v. McCormack.29 The existence and implementation of a compliance programme may assist in reducing the quantum of any sentence to be imposed, but there is no legislative mechanism for this.

iv Prosecution of individuals

When there are allegations of an individual's misconduct in the course of his or her employment, the company may first conduct an internal investigation into the alleged offence. If the company concludes that the alleged conduct did take place, the company may be required to report this activity to the relevant authorities. During this investigation, the individual may be placed on 'gardening leave' or be suspended. However, in the case of Bank of Ireland v. O'Reilly, the High Court stipulated that employers must exercise extreme care when suspending an employee pending an investigation.30

However, if criminal prosecution precedes an internal investigation, in general, internal disciplinary procedures are suspended, based on respecting the individual's right to silence. Notably, the High Court has decided that the acquittal of an employee of criminal charges does not preclude employers from considering whether an employee should or should not be dismissed on the basis of the impugned conduct.31

There is a prohibition on indemnifying directions in respect of any liability that would otherwise attach to him or her in respect of any negligence, default, breach of duty or breach of trust of which he or she may be guilty in relation to the company32. However, the Companies Act 2014 also provides that a company may purchase and maintain, for any of its officers or auditors, directors and officers (D&O) insurance in respect of any liability arising under negligence, default, breach of duty or breach of trust.33 Accordingly, a company may indemnify an officer of the company for any liability incurred by him or her in defending the proceedings, whether civil or criminal, provided judgment is given in the individual's favour or the individual is acquitted.34 In practice, D&O policies tend to exclude losses resulting from fraud or dishonesty, malicious conduct and the obtaining of illegal profit.

The Corruption Offences Act provides for the criminal liability of corporate bodies where a director, manager, secretary or other officer, employee or subsidiary commits an offence with the intention of obtaining or retaining business or an advantage in the conduct of business.

Almost all modern Irish regulatory legislation includes a standard provision allowing the imposition of personal criminal liability on directors, managers or other officers of a company, if the company commits an offence. Typically, this standard provision states:

Where an offence under this Act is committed by a body corporate or by a person acting on behalf of a body corporate and is proved to have been so committed with the consent, connivance or approval of, or to have been facilitated by any neglect on the part of any director, manager, secretary or any other officer of such body, such person shall also be guilty of an offence.

The Corruption Offences Act also provides under Section 18(3) that, where a corruption offence was committed with the consent, connivance, or was attributable to the wilful neglect, of a person who was a director, manager, secretary or other officer of the body corporate, or a person purporting to act in that capacity, then the individual may also be found liable in their personal capacity.

Although, to date, prosecutions of individuals under such provisions are relatively rare, it is worth mentioning a recent decision of the Court of Appeal, DPP v. TN35 where the court found a manager may be prosecuted for company offences where he or she has functional responsibility for a significant part of the company's activities and has direct responsibility for the area in controversy. The court observed that, in the modern business environment, responsibilities are distributed such that it is difficult to say that one individual is responsible for the management of the whole of the affairs of a company. A 'manager' does not have to be actively involved in every area of the company's business. The individual in this case, Mr TN, had no involvement in the financial side of the business, but he had direct responsibility for the operation of the facility and for compliance with the terms of its waste licence.

IV INTERNATIONAL

i Extraterritorial jurisdiction

Ireland does not, in general, assert extraterritorial jurisdiction in respect of acts conducted outside the jurisdiction. However, extraterritorial jurisdiction may be conferred by statute to varying degrees. For instance, Section 4 of the Competition Act 2002 provides that it is an offence to be a party to an anticompetitive agreement that has the effect of preventing, restricting or distorting competition in trade in goods or services within the state. Importantly, the Section is not restricted to agreements made within Ireland.

There are a number of specific offences for which Ireland exercises extraterritorial jurisdiction.

Corruption

As mentioned, the Corruption Offences Act was introduced on 30 July 2018. The Corruption Offences Act is designed to consolidate a range of legislation enacted between 1889 and 2010 and introduce new offences and other revisions, some of which derive from the Tribunal of Inquiry into Certain Planning Matters and Payments. The Act further modernises anti-corruption laws and will help Ireland meet its commitment to various international anti-corruption instruments, such as EU Council Decisions, the United Nations Convention on Corruption, the OECD Convention on Bribery of Foreign Public Officials and the Council of Europe Criminal Law Convention on Corruption.

Money laundering

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the CJ(MLTF) Act) sets out specific circumstances in which an action can be interpreted as money laundering outside Ireland. If an individual or a company engages in conduct in a foreign jurisdiction that would constitute a money laundering offence both under the CJ(MLTF) Act and in that foreign jurisdiction, they can be prosecuted in Ireland.36 This extraterritorial jurisdiction may only be exercised if the individual is an Irish citizen, ordinarily resident in the state; or the body corporate is established by the state or registered under the Companies Act.

The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 came into force on 26 November 2018. This act gives effect to the EU Fourth Money Laundering Directive (Directive 2015/849 (4AMLD)) and makes a range of amendments to existing anti-money laundering (AML) legislation set out in the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 and 2013. The Act itself imposes increased responsibility on 'obliged entities' to identify and assess potential risks of money laundering and terrorist financing in their business relationships and transactions. Aside from the requirement to identify individuals holding ultimate beneficial ownership, the most important change it introduces in Irish law is the inclusion of both domestic and foreign politically exposed persons (PEPs) under the new rules. Previously, only foreign PEPs were subject to a mandatory enhanced regime.

ii International cooperation

The Criminal Justice (Mutual Assistance) Act 2008 (the Mutual Assistance Act)37 is the primary piece of legislation governing mutual legal assistance between Ireland and other countries. The extent of available cooperation under mutual legal assistance procedures is dependent on the identity of the corresponding state. The greatest level of cooperation exists between Ireland and other EU Member States. Cooperation with third countries (those outside the European Economic Area) is dependent on their ratification of relevant international agreements or the existence of a mutual assistance treaty agreed between them.

Most notably, the Mutual Assistance Act allows Ireland to take evidence in connection with criminal investigations or proceedings in another country, search for and seize material on behalf of another country, serve a summons or any other court process on a person in Ireland to appear as a defendant or witness in another country, and transfer a person imprisoned in Ireland to another country to give evidence in the foreign criminal proceedings.

In April 2018, the European Commission proposed a legislative package, which actually consists of two strongly interconnected proposals:

  1. a Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters; and
  2. a Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, which is often referred to as the proposal on 'E-evidence'.

The E-evidence proposal will make it faster and easier for law enforcement authorities of Member States to obtain cross-border evidence. E-evidence proposes to introduce European Production and Preservation Orders in criminal matters. In effect, it allows a competent authority from one Member State to make a direct request to service providers in other Member States in order to obtain access to, or preservation of, electronic data for criminal investigations.

There are a number of additional measures in place to facilitate Ireland's cooperation with other EU Member States, including the Council Framework Decision on Freezing Orders and the Council Framework Decision on the European Evidence Warrant. In addition to this, Council Regulation 1206/200138 allows a court in another EU Member State (other than Denmark) to take evidence from a witness connected to court proceedings in Ireland. This is provided for under the Rules of the Superior Courts.39

Ireland is subject to the European Arrest Warrant Framework Decision, which was implemented by virtue of the European Arrest Warrant Act 2003, as amended by the European Arrest Warrant (Application to Third Countries and Amendment) and Extradition (Amendment) Act 2012. This governs all extradition procedures between EU Member States. The High Court is the competent authority for issuing a European arrest warrant if the individual sought is accused of an offence for which the maximum penalty is at least one year in prison, or if he or she has already been sentenced to a prison term of at least four months. A European arrest warrant does not have a dual criminality requirement – meaning the offence must be prohibited under the domestic law of both countries – for certain serious offences, such as corruption, fraud or money laundering. This legislation can extend to individuals from non-EU countries upon consultation between the Minister for Foreign Affairs and the Minister for Justice and Equality. Generally, extradition to non-EU countries is governed by the Extradition Act 1965, as amended (the Extradition Act). There are a number of preconditions to non-EU extradition. First, there must be an extradition agreement in place between Ireland and the non-EU country before an extradition can take place. Second, the Extradition Act retains a requirement of dual criminality. Third, the Extradition Act excludes extradition for political, military and revenue offences.

While there is currently a lot of uncertainly concerning what a post-Brexit United Kingdom will look like, it is likely that in a no-deal scenario, the United Kingdom will no longer be party to Europol or Eurojust, and no longer operate the European Arrest Warrant. Instead, according to the Law Enforcement and Security (Amendment) (EU exit) Regulations 2019, it will revert to the 1957 European Convention on Extradition regime. The Irish Government's General Scheme of the Miscellaneous Provisions (Withdrawal of the United Kingdom from the European Union on 29 March 2019) Bill 2019 likewise proposes application of the European Convention on Extradition regime to extradition between the United Kingdom and Ireland. This may have a negative impact on the efficiency with which the United Kingdom will be able to combat illicit activity after Brexit occurs. The UK Serious Fraud Office has also indicated that loss of access to EU measures and tools in this context will adversely affect investigations and prosecutions, representing a strategic risk to the United Kingdom.

The transposition of the EU 4AMLD into Irish law has also led to further enhanced international cooperation, as the Directive requires information to be shared between competent national authorities, including the creation of a central register of beneficial owners of entities. Under the EU Fifth Money Laundering Directive (due to be transposed by Member States by 10 January 2020), the Central Register will, in effect, widen the inspection net to the public in most cases.

The European Union (Anti-Money Laundering: Beneficial Ownership of Corporate Entities) Regulations 2019 came into force on 22 March 2019, save for Part 3. Part 3 concerns the new Central Register of Beneficial Ownership, which will become operative on 22 June 2019. The aim of the 2019 Regulations is to bring Ireland's beneficial ownership regulations in line with the 4AMLD as amended by the Fifth Money Laundering Directive. Therefore, the 2019 Regulations establish that the New Central Register of Beneficial Ownership of Companies and Industrial and Provident Societies is to be created on 22 June 2019. The deadline for filing for relevant entities is 22 November 2019.

iii Local law considerations

There are a number of legal considerations to be aware of in relation to a cross-jurisdictional investigation, in particular in the areas of banking confidentiality, data privacy and constitutional law.

An obligation of bank–client confidentiality is implied by common law. However, this obligation can be breached in limited circumstances, including where the terms of the contract with the customer so provide or a bank is compelled by law to disclose information.40

The General Data Protection Regulation 2016 (GDPR)41 became effective across the EU Member States on 25 May 2018. The GDPR introduces significant changes to data subject rights, supervision and enforcement, and the scope of the application of EU data protection law in that companies based outside the EU will be subject to GDPR when offering services in the EU. The Law Enforcement Data Protection Directive 2016 (the 2016 Directive)42 was adopted in parallel with GDPR and governs the processing of personal data by data controllers for 'law enforcement purposes', which falls outside the scope of the GDPR. The Data Protection Act 2018 gives further effect to the GDPR and the 2016 Directive while largely, though not entirely, repealing the previous Data Protection Acts. The Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the coming into effect of the GDPR.

Litigation in respect of data subject access requests was prevalent throughout 2018, including a series of Nowak cases, following on from the CJEU's decision in Nowak v. DPC (20 December 2017) (C-434/16). In that case, a broad interpretation was given to 'personal data' and it was held that the use of the expression 'any information' in the definition of 'personal data' in the Data Protection Directive 95/46/EC reflects the aim of the EU legislature to assign a wide scope to the concept, potentially encompassing all kinds of information provided that it relates to the data subject. As the GDPR contains a similar definition of 'personal data' to that in the Directive, namely 'any information relating to an identified or identifiable natural person', the CJEU's broad interpretation of the concept of personal data remains relevant post 25 May 2018. The court also considered whether personal data can be provided in a summary format in response to a data access request, rather than providing a copy of the actual document containing the data. The High Court ruled in Nowak v. DPC and Institute of Chartered Accountants in Ireland [2018] IEHC 118 (26 February 2018) that the obligation on a data controller was to communicate the relevant information not in its original form but rather in an 'intelligible form' to the data subject.

Further, Irish individuals or entities who are the subject of an international investigation benefit from the protection of the Irish Constitution and the European Convention on Human Rights, including the right to a good name and the right to a fair trial.

V YEAR IN REVIEW

During 2018, the government made significant progress in implementing the proposals set out in the Measures to Enhance Ireland's Corporate, Economic and Regulatory Framework. This included the enactment of the Corruption Offences Act, which commenced on 30 July 2018, and the publication of the General Scheme of the Companies (Corporate Enforcement Authority) Bill 2018 in December 2018. Under this Bill, it is proposed that the ODCE will be re-established as an agency, in the form of a commission, which will be known as the CEA. The new agency will have more autonomy and flexibility to adapt to the challenges it faces in encouraging greater compliance with the Companies Act. In addition, in 2018, the Minister for Justice and Equality appointed former DPP Mr James Hamilton to chair a review of Ireland's anti-corruption and anti-fraud structures and procedures in criminal law enforcement. This review will assess the extent to which the various state bodies involved in the prevention, detection, investigation and prosecution of fraud and corruption are working effectively together, and to identify any gaps and impediments in this regard.

The ODCE and the Central Bank have also been vocal about their commitment to advancements in their investigative practices and procedures. The ODCE reported key hires including a digital forensic specialist, an investigative accountant, a Detective Inspector position and two enforcement portfolio managers. The OCDE has also reported advancements in relation to their forensic capabilities including a dedicated digital forensics laboratory.

As mentioned, during the past year, we have also seen the enactment of the Data Protection Act 2018, which, together with the entry into force of the GDPR in May 2018, amends data protection laws, creating a consistent data protection regime across the European Union.43

The renewed focus on measures to enhance Ireland's approach to corporate misconduct is both timely and significant given the uncertainty surrounding Brexit. However, the Political Declaration published on 22 November 2018 emphasises the commitment to mutual cooperation, stating that reciprocal equivalence frameworks will be put in place enabling both the European Union and the United Kingdom to declare a third country's regulatory and supervisory regimes 'equivalent'.

VI CONCLUSIONS AND OUTLOOK

Ireland has a robust regime for the investigation and prosecution of corporate misconduct that helps to maintain its reputation as a low-risk country in which to do business. The government has signalled its intention in recent years to ensure that the legal and regulatory environment continues to be subject to regular scrutiny and review so that it is strengthened appropriately to meet emerging risks and challenges.44 With that in mind, it seems likely that we will continue to see more enforcement across all regulated sectors in the future.


Footnotes

1 Karen Reynolds and Claire McLoughlin are partners and Ciara Dunny is a senior associate at Matheson.

2 Measures to Enhance Ireland's Corporate, Economics and Regulatory Framework, November 2017.

3 ibid.

4 Section 949(c) and (d) of the Companies Act 2014.

5 Section 899 of the Taxes Consolidation Act 1997.

6 ibid., Section 895.

7 ibid., Sections 902A and 908.

8 ibid., Section 908C.

9 Section 36 of the Competition and Consumer Protection Act 2014.

10 Attorney General and Director of Public Prosecutions [2019] IESC 39.

11 'Outline of Administrative Sanctions Procedure', published by the Central Bank of Ireland in 2018.

12 [2015] IEHC 809.

13 (2001) 2 IR 50.

14 [2018) IEHC 51.

15 [2018] IEHC 51.

16 (2005) IESC 3.

17 Sections 11 and 12 of the Protected Disclosures Act 2014.

18 Superwood Holdings plc v. Sun Alliance and London Insurance plc (1995) 3 IR 303.

19 Section 6(1) of the Criminal Justice Act 1993.

20 Section 85 of the Safety, Health and Welfare At Work Act 2005; Section 1086 of the Taxes Consolidation Act 1997.

21 Sections 75 and 85 of the Consumer Protection Act 2007, as amended by the European Union (Consumer Information, Cancellation and Other Rights) Regulations 2013; Section 1078(3A) of the Taxes Consolidation Act 1997.

22 The Central Bank (Supervision and Enforcement) Act 2013.

23 Section 2 of the Competition (Amendment) Act 2012.

24 Section 839 of the Companies Act 2014.

25 Section 17(1)(a) of the Criminal Justice (Corruption Offences) Act 2018.

26 ibid., Section 17(1)(b).

27 ibid., Section 17(4)(b).

28 ibid., Section 17(4)(c).

29 (2000) 4 IR 356.

30 Bank of Ireland v. O'Reilly [2015] IEHC 241.

31 Mooney v. An Post (1998) 4 IR 288.

32 Section 235 of the Companies Act 2014.

33 Section 235(4) of the Companies Act 2014.

34 ibid., Section 235.

35 DPP v. TN [2018] IECA 52.

36 Section 8 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.

37 As amended by the Criminal Justice (Mutual Assistance) (Amendment) Act 2015.

38 Council Regulation (EC) No. 1206/2001 of 28 May 2001 on cooperation between the courts of the Member States in the taking of evidence in civil or commercial matters.

39 Order 39 Rule 5 Rules of the Superior Courts.

40 Tournier v. National Provincial and Union Bank (1924) 1 KB 461.

41 Regulation (EU) No. 679/2016.

42 Directive (EU) 2016/680.

43 Irish Government New Service – 2 February 2018.

44 Measure to enhance Ireland's Corporate, Economic and Regulatory Framework.