The International Investigations Review: United Kingdom - England & Wales


The law on corporate criminal attribution in England and Wales has historically made it difficult to hold entities to account for the actions of their employees. This, in turn, led to a relatively low prioritisation of corporate investigations, which has been subject to change in the past decade and a half. Driven by developments in certain areas of criminal law,2 increasingly aggressive enforcement in sectors such as financial services, and increasing public demands for corporate accountability, the nature and scope of corporate investigations has been steadily growing.

Several bodies have responsibility for various aspects of corporate investigations:

  1. the Serious Fraud Office (SFO) investigates and prosecutes the most serious cases of fraud and other economic crimes in the United Kingdom (UK). This includes lead-agency responsibility for enforcing the Bribery Act 2010 (BA 2010);3
  2. the Competition and Markets Authority (CMA) is the main competition regulator and is responsible for enforcing the Competition Act 1998 (CA 1998), the Enterprise Act 2002 and Articles 101 and 102 of the Treaty on the Functioning of the European Union;4
  3. the Financial Conduct Authority (FCA) is both a prosecuting body and the regulator of financial institutions, with responsibility for maintaining the integrity of the UK financial markets, including the investigation of financial sector crimes, such as market abuse and insider dealing;5
  4. Her Majesty's Revenue and Customs (HMRC) investigates tax and revenue-related offences with wide-ranging civil and criminal investigatory powers;6
  5. the Office of Financial Sanctions Implementation (OFSI) implements the UK sanctions regime;7
  6. the Crown Prosecution Service (CPS) prosecutes cases investigated by the police forces of England and Wales, as well as on behalf of HMRC and the CMA (which have only investigatory powers and no prosecuting authority);8 and
  7. the National Crime Agency (NCA), which includes the National Economic Crime Centre (NECC),9 coordinates and assists the work of the other agencies and the police in the investigation and prosecution of economic crime.

These bodies have distinct remits, albeit with some overlap, and a range of powers to enforce the legislation within those remits. This includes the ability to execute search warrants and to file compulsory production notices for the production of documents in certain cases. Some of these powers can only be exercised with a court order, some have to be exercised with the assistance of the police, and others are wholly in the control of the agency themselves (determined by the statutory powers by which they are established).

The ability and extent of the powers to obtain material has been the subject of a number of important challenges through the courts in recent years, which will be discussed further below. Corporations are not permitted to withhold documents from the authorities on the grounds of client confidentiality and data privacy, and must hand over any materials requested by such notices and orders, save when legal privilege applies.10 It is a separate criminal offence in England and Wales not to comply with a lawful production order.

Another area of significant development in the law has been the introduction of deferred prosecution agreements (DPAs), which are available to prosecutors in both the CPS and the SFO. Under a DPA, corporations11 accused of certain criminal offences are permitted to enter into an agreement with the prosecutor to defer a prosecution (and, potentially, avoid a prosecution altogether) if they fulfil the terms of an agreement approved by a judge. The agreement usually includes payment of a financial penalty, costs and compensation; implementation of, or improvement to, a compliance programme; and cooperation with ongoing investigations. So far, there have been seven DPAs in the UK, including three in the 2019/2020 financial year, a considerable increase from previous years, although the regime has come under considerable criticism (see Section III.iv).


i Self-reporting

A corporate's approach to self-reporting in England and Wales must be considered against a broad spectrum of factors, which include the nature of the issue, the prospect of enforcement activity, the benefits of cooperation with authorities, the industry sector in which the corporate operates and the supervisory regime applicable to the corporate. Although there is no obligation to self-report most criminal conduct, there are notable exceptions for those operating in regulated sectors such as financial services. The decision of whether to self-report will need to take into account this wide range of factors, as well as the possibility of enforcement actions in other jurisdictions (which will be subject to their own decision in respect of self-reporting) and will usually be taken with the assistance of legal counsel.

The FCA's principles of openness create an expectation that the entities they regulate will self-report issues.12 The regulator has regularly made clear that it regards self-reporting to be a key part of the open and cooperative relationship it expects of its regulated entities.13 Within its guidance, the FCA mandates a large number of reporting requirements including reporting in relation to complaints,14 accounts15 and market abuse.16 The principle of openness has, on several occasions, been the basis for fining firms for failing to adequately self-report.

The CMA operates a more discretionary approach to self-reporting, but one based on an explicit framework for the recognition of reporting.17 The leniency programme is designed to encourage companies that have been involved in wrongdoing to proactively cooperate with the CMA. To encourage self-reporting, the CMA offers a sliding scale of leniency ranging from total immunity to reduced financial penalties, depending on the timing of the self-reporting.18 As with most self-reporting regimes, the earlier the report is made, the more lenient the authority will be.

Although not as structured as the CMA scheme, a similar incentive-based self-reporting principle is operated by the SFO and CPS. The SFO's policy on corporate self-reporting states that self-reporting will be a key factor in deciding whether to prosecute.19 On 6 August 2019, the SFO published new Corporate Co-operation Guidance that outlines cooperative steps companies can take to gain credit from the SFO, which it will take into account when deciding whether to issue a charging decision, DPA or other appropriate sanction, if at all.20 The benefits of self-reporting have also been highlighted in the guidance provided for DPAs.21 Initially the SFO had indicated that only companies that self-reported would be eligible for a DPA, but both Rolls-Royce and Tesco have been able to secure DPAs without self-reporting.22 Self-reporting has played an instrumental role in all of the DPAs agreed in the 2019/2020 financial year; for example, the SFO Director, Lisa Osofsky, stated that the DPA agreed with Güralp Systems Limited was because of its 'timely self-reporting and full cooperation'.23 In the non-regulated sectors, the decision as to whether to self-report is a balance between a number of incentives and disincentives that require careful consideration.

An additional but discrete layer of strict self-reporting is required under the Proceeds of Crime Act 2002 (POCA 2002). POCA 2002 legislates for a number of criminal money laundering offences, including becoming concerned in an arrangement that the person knows or suspects facilitating the acquisition, retention, use or control of criminal property by or on behalf of another person.24 Voluntary self-reporting through an authorised disclosure may be used as a defence to such an offence.25 Although self-reporting is not compulsory for non-regulated persons, it is a criminal offence for a regulated person – who has reasonable grounds for knowing or suspecting that another person is engaged in money laundering – to fail to report such knowledge or suspicion.

ii Internal investigations

Internal investigations are increasingly used by both international and domestic companies as a way of mitigating risk as well as honouring regulatory obligations. It is no longer a viable option for a company to turn a blind eye to any allegations or suspicions that it receives about its business operations, and an internal investigation is a common first step in dealing with potential issues.

Preliminary or scoping interviews occur in the very early stages of investigations and are used to identify useful information and where further evidence might be located. Witness interviews form a crucial part of internal investigations. Importantly, these interviews may take place on the understanding – between the interviewer and the employee – that they are confidential and attract privilege.26 However, 'the law as it stands today is settled. Privilege does not apply to first interview notes': unless those notes contain privileged legal advice, when privilege would then apply.27

Authorities expect details of witness interviews to be provided to them. This expectation is set out in the form of speeches and guidelines as opposed to law. To gain the benefit of a DPA, the SFO has said it expects companies to cooperate and comply with Clause 2.8.2(i) of the Code of Practice on Deferred Prosecution Agreements (the DPA Code) by 'identifying relevant witnesses, disclosing their accounts and the documents shown to them and, 'where practicable', making witnesses available for interview when requested'.28

The SFO has not set out clear guidance as to the detail it expects to be provided with witness interviews;29 however, it has made it clear that 'first accounts' are expected as part of any information given to the SFO. There does not appear to be a consistent practice in this regard, and the approach can vary case-by-case.30 Over the past five years, there has been a suggestion from the SFO that they are reluctant to see companies conducting internal investigations for fear of them 'trampling the crime scene'.31 Under the current SFO Director,32 however, there appears to have been a shift in this approach. For example, in its Corporate Co-operation Guidance, the SFO stipulates that for a company to be considered cooperative it should, among other things, provide the evidence that is has collected during an internal investigation.33

The FCA also takes a cautious approach to internal investigations and has noted a number of potential issues with internal investigations. These issues include poor communication with the FCA at the early stages of an investigation resulting in a report that is unhelpful for FCA purposes, or even the risk that a subsequent FCA investigation is prejudiced or hindered by a firm's own internal investigation.34

By contrast, the CMA's approach to self-reporting necessitates internal investigations, in particular the requirement for supporting evidence in claims for leniency; however, these internal investigations are required to be limited to what is strictly necessary to minimise the risk of 'tipping off' other parties to cartel activity. As part of the leniency application process, companies are required to take 'careful note' of all investigative actions and keep records until the conclusion of any related proceedings.35

One issue related to internal investigations that has received significant attention in the past few years is legal professional privilege. In England and Wales, internal legal counsel attract the same legal privilege as external counsel, so one of the advantages of instructing external counsel may not exist compared to other jurisdictions. The extent of that privilege has been the subject of judicial decision in Director of the SFO v. Eurasian Natural Resources Corporation Limited [2018] EWCA Civ 2006 (ENRC), where the Court of Appeal reversed the first-instance decision36 in which the High Court agreed with the SFO's view that litigation and legal advice privilege did not apply in the context of documents that were generated during an investigation by forensic accountants and lawyers (see Section IV.iii).

In most internal investigations, employees will not receive their own independent legal advice. This is because the interviews are simply part of a fact-finding investigation and the employee is not treated as a suspect. In these circumstances, cooperation between employees and their companies will be in both parties' shared interests. At the outset of any fact-finding interview, the individual must be advised that the lawyers representing him or her are the company's lawyers and that the company holds the privilege.37

However, in some circumstances, independent legal representation for the employee may be either necessary or desirable; for example, if the employee is a suspect, or risks incriminating themselves or admitting regulatory breaches, or has the potential to create a liability for the employer. In these circumstances, there may be a conflict between the best interests of the employee and their employer and independent legal advice would be appropriate.

iii Whistle-blowers38

There is market-wide protection for whistle-blowers set out in the Public Interest Disclosure Act 1998 (PIDA 1998). PIDA 1998 has a significantly broader definition of 'worker' than the Employment Rights Act 1996, which includes employees, employee shareholders and agency workers.39 Should an employer dismiss a worker for the reason (or principal reason) that the employee made a 'protected disclosure', this dismissal will automatically be unfair. Further, if an employer subjects an employee to any detriment for reason that he or she made a protected disclosure then they could also have a distinct claim for detriment up to the date the employee was dismissed. Detriment can include damaged career prospects, dock of pay or loss of work and disciplinary action. The tests for qualifying for protection are:40

  1. Was the disclosure a qualifying disclosure?
  2. Has the worker made a disclosure of information?
  3. Did the subject matter of the disclosure relate to one of the types of 'relevant failure'?
  4. Did the worker have a reasonable belief that the information shows that one of the six relevant behaviours has occurred?
  5. Did the worker have a reasonable belief that the disclosure was in the public interest (not applicable to disclosures made before 25 June 2013)?41
  6. Was the disclosure a protected disclosure?

In March 2019, the former Prime Minister Theresa May announced that the government would be bringing in changes to the operation of non-disclosure agreements, particularly those that operate between employees and employers. One of the stated motivations for the changes is to give whistle-blowers additional protections and to ensure individuals are not put off from reporting their concerns to the appropriate enforcement agencies. There have not, to date, been any legislative changes on the back of this announcement.

On 8 September 2019, the Council of Ministers adopted the EU Whistleblower Directive (the Directive) which grants greater protections to individuals who report any breach of EU law. While the Directive is to be treated as a floor for unified protections across the EU, countries can further strengthen their own regimes as they wish. Given the UK's departure from the European Union (EU) on 31 January 2020, the applicability of the Directive after the UK's transition period is uncertain and, at the time of writing, the UK is not going to implement the Directive. However, the proposals prior to the implementation of the Directive noted that the UK was one of the Member States that already has a comprehensive regime in place42 and many of the protections underpinning the Directive already exist in legislation such as PIDA 1998.

The financial services sector has developed a more rigorous whistle-blower regime than that created under the PIDA 1998. The current regime applies to around 8,000 companies operating in the financial services sector, but it is estimated that this could increase to 55,000 companies once the regime is widened.43 The FCA has reported that whistle-blowing 'is on the rise' and that it investigated 1,119 whistle-blower complaints in 2019 alone.44

On 14 November 2018, the FCA published its research into the consequences of the new whistle-blowing rules introduced on 7 September 2016. These rules can be found in the Senior Management Arrangements Systems and Controls 1845 and they require firms to:

have effective arrangements in place for employees to raise concerns, and to ensure these concerns are handled appropriately and confidentially. The requirement to appoint a whistle-blowers' champion is to ensure there is senior management oversight over the integrity, independence and effectiveness of the firm's arrangements.46

The Financial Reporting Council (FRC),47 which is responsible for setting UK standards of corporate governance, includes, within the UK Corporate Governance Code 2018, a principle that '[t]here should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously'.48 This code, however, operates on a 'comply or explain' basis, so listed companies are not obliged to have a whistle-blowing policy in place, even if it is good practice.

Similarly, the Ministry of Justice (MOJ) suggests that having adequate whistle-blowing procedures49 may be an important part of asserting an 'adequate procedures' defence to the offence of failing to prevent bribery under Section 7 BA 2010 and the British Standards Institution outlines whistle-blowing procedures as part of its published standard for Anti-Bribery Management Systems.50

In contrast to the system used by the Securities Exchange Commission in the United States (US), there are currently no monetary incentives in England and Wales for whistle-blowers to come forward, and the Directive also does not require them. The Home Office has previously considered introducing financial incentives for whistle-blowers who come forward on matters of 'fraud, bribery and corruption';51 however, research from various groups, including the FCA and the Prudential Regulatory Authority (PRA), concluded that providing financial 'incentives' would not in fact encourage whistle-blowing.52


i Corporate liability

The case law on corporate civil liability is voluminous. In general, a corporate employer is vicariously liable for the acts of its employees if it would be fair and just to hold the employer vicariously liable. If the employees' acts are within the ordinary course of their employment, this will usually be sufficient.

By contrast, corporate criminal liability is normally only relevant if a criminal offence imposes strict liability and the state of mind of the company (acting through its employee) does not need to be established. In addition, there are a growing number of statutory offences that create a corporate liability, such as the offence of 'failing to prevent bribery' under Section 7 of the BA 2010, which is discussed further below.

Apart from those offences that create a direct corporate liability, companies will only be liable for offences requiring proof of a criminal state of mind by application of the 'identification principle'. The identification principle imputes, to the company, the acts and state of mind of the individuals who represent the 'directing mind and will' of the company. This is much more narrow than the basis of attribution in the US, for instance, where a company can be liable for the actions of its agents and employees when they act within the scope of their employment and, at least in part, to benefit the company (which is more akin to the basis for civil liability in England and Wales).

The leading case of Tesco Supermarkets v. Nattrass [1972] AC 153 defines the 'directing mind and will' of the company as the directors and, in certain circumstances, other senior officers of the company who carry out management functions and speak and act as the company. The test of attribution may also be met if the directors have delegated part of their management functions.53 This has historically been very difficult to prove against companies and this has only got more difficult as complex corporate structures become a common feature in UK corporate bodies.

The BA 2010 introduced a new approach to establishing corporate criminal liability in the UK. It legislates for bribery offences committed in the UK and abroad by individuals and companies. Section 7 of the BA 2010 creates the offence of 'failure to prevent bribery', which can be committed by a corporate entity only. It first requires that a person associated with the company has committed an offence under Sections 1 or 6 of the BA 2010 or would have done if they were within the territorial scope of the BA 2010. A person is 'associated with' the company if they perform services for or on behalf of the organisation in any capacity. This is, therefore, not confined to employees but also covers agents such as independent contractors.

Second, Section 7 of the BA 2010 requires that the person who committed the offence to have intended either to obtain or retain business or an advantage in the conduct of business for the company. Knowledge on behalf of the company is not required. Section 7 of the BA 2010 has a broad territorial scope and applies not only to UK-incorporated companies but also those that carry on a business or part of a business in the UK.

It is a complete defence to the corporate offence of 'failure to prevent bribery' that the company had in place 'adequate procedures' to prevent acts of bribery by persons associated with it (this is discussed in more detail below).

ii Penalties

The approach to sanctions against businesses for corporate misconduct has shifted in recent years. Corporations considered liable of corporate misconduct can suffer penalties ranging from a minor fine to a substantial financial penalty and severe criminal consequences from a selection of prosecuting bodies.

The Financial Services and Markets Act 2000 (FSMA 2000) grants the FCA the power to impose a variety of sanctions ranging from public censure to the revocation of FCA authorisations and large regulatory fines.54 There were a number of notable fines associated with breaches of the FCA's Principles for Business in 2019.55 Carphone Warehouse, for example, was fined £29,107,600 for mis-selling a mobile phone insurance and technical support product.56 FSMA 2000 also grants the FCA the power to bring criminal prosecutions for the purpose of tackling financial crime such as investigations for insider dealing pursuant to the Criminal Justice Act 1993, and breaches of the recently enacted Sanctions and Anti-Money Laundering Act 2018. The FCA's Decision Procedure and Penalties Manual sets out a non-exhaustive list of the factors that the FCA considers before issuing a penalty, which includes looking at the nature, seriousness and impact of the suspected breach, the conduct after the breach and previous disciplinary record and the compliance history of the person in question. The FCA will also consider 'the full circumstances of each case' when determining whether to impose a penalty.57

The CMA also has a range of criminal and civil powers afforded to it under legislation with regard to competition law infringements. The CMA can impose fines for breach of the CA 1998 if the CMA is satisfied an infringement has either been intentionally or negligently committed.58 The most notable fine that the CMA can impose is an amount of up to 10 per cent of a firm's worldwide turnover in the business year that proceeds the date of the CMA's decision.59

The CMA can also impose settlement and the making of commitments.60 Settlement allows early resolution of investigations by way of a voluntary process if a business under investigation by the CMA for a breach of competition law admits a breach and accepts a streamlined version of the process that will govern the remainder of the CMA investigation. In return for its cooperation and an admission of wrongdoing, the business will gain a reduction in any financial penalty that the CMA imposes. Commitments and directions in relation to the settlement are agreed between the CMA and the firm and the courts have the power to enforce them in the event of non-compliance.

The SFO has the power to prosecute in cases involving serious or complex fraud, bribery and corruption. Alternatively, the SFO may consider inviting a company to enter into a DPA. DPAs were introduced in the UK in 2014 as a discretionary tool for use by the SFO that enables prosecutors to enter into agreements with the offending corporation to suspend prosecution for a defined period of time so long as specified conditions are met by the business during the suspension period.61 DPAs are supervised by a judge and governed by the DPA Code published by the SFO and the CPS, which states that the SFO's role is as a prosecutorial authority and that DPAs are for use only in exceptional circumstances.62

Corporate tax offences are resolved primarily by means of a civil resolution by HMRC. It is also possible that corporate tax offences can lead to criminal charges in the circumstances of corruption or links to wider criminal offences either in the UK or overseas.

If a corporation breaches any UK or international sanction, a distinct Treasury unit, the OFSI, is the competent authority for the implementation of penalties, including financial penalties under the Policing and Crime Act 2017. The maximum penalty that the OFSI can impose will be the greater of £1 million or 50 per cent of the value of the breach.63

Individuals prosecuted by these agencies can be ordered to pay fines, compensation and court costs and may receive prison sentences if the offences are serious enough. In addition, individuals may be disqualified from holding directorships in the UK.

iii Compliance programmes

Both the CMA and the FCA publish a variety of documents to assist companies in meeting their compliance obligations, including annual plans and a great deal of guidance in the run up to the UK's planned departure from the EU.

As described above, the BA 2010 provides a defence to the Section 7 offence, if a commercial organisation can show on the balance of probabilities that it had in place 'adequate procedures' designed to prevent bribery. The MOJ has provided guidance on what constitutes 'adequate procedures' for the purposes of the defence, including six principles to provide businesses with guidance in establishing and maintaining a compliant anti-bribery regime. The principles are:

  1. proportionate procedures;
  2. top-level commitment;
  3. risk assessment;
  4. due diligence;
  5. communication; and
  6. monitoring and review.64

The guidance is clear that it is not enough for a company to have a suite of policies, the culture of compliance and regular training will also be an important part of determining whether procedures will be considered adequate.

The BA 2010 'adequate procedures' defence was tested for the first time in the case of R v. Skansen Interiors Limited (unreported). The case concerned two bribes that had been paid to an employee managing the tender for an office refurbishment by Skansen Interiors Limited (SIL), a small refurbishment company. When a new chief executive officer took over at SIL and learned about the payments that had been made, he initiated an internal investigation and established an anti-bribery and corruption policy. SIL then submitted a suspicious activity report to the NCA.

The question for the jury was whether SIL had adequate procedures in place. SIL argued, inter alia, that: its policies and procedures were proportionate to its size – it was a very small business operating out of a single open-plan office; its business was very localised, removing the need for more sophisticated controls; it was 'common sense' that employees should not pay bribes; the ethos of the company was one of honesty and integrity; and a company of its size did not need a more formal policy. The jury did not agree and returned a guilty verdict.

A similar offence to the Section 7 of the BA 2010 offence exists in Sections 44 and 45 of the Criminal Finances Act 2017 (CFA 2017) in relation to the failure by a company to prevent a tax evasion offence by an associated person, which include a similar 'reasonable procedures' defence.

iv Prosecution of individuals

The CPS and the SFO look to prosecute individuals for financial crime; when a business is prosecuted within England and Wales, enforcement action will usually also be taken against individuals involved. Guidance states that the prosecution of a company should not be seen as a substitute for the prosecution of criminally culpable individuals such as directors, officers, employees or shareholders of the offending company.65 The prosecution of individuals in circumstances involving corporate misconduct is viewed as essential in providing a strong deterrent against future corporate wrongdoing.66

When proceedings or enforcement action is launched against individuals, the company involved must be conscious of its obligations towards its employees. Often, corporates will suspend the individuals suspected of wrongdoing for the duration of any investigations; however, any suspension must be deemed to be fair and reasonable. Individual employees may be entitled to further assistance from their employer company by means of assistance with legal fees in the event of any investigations, although there is no statutory requirement for this currently. Alternatively, some employees may be entitled to some form of officer liability insurance, which can provide cover for the duration of any investigations or trial. Given the scale and cost of government investigations to date, this has become the norm in larger companies.

Recently there has been attention on the SFO's failure to prosecute individuals connected to corporations who are the subject of criminal proceedings. In February 2019, two years after the Rolls-Royce DPA was secured (with the company paying £497.25 million), Lisa Osofsky announced that senior employees from the company would not be prosecuted because of 'insufficient evidence' and because such a prosecution was 'not in the public interest'.67 Similarly, in December 2019, two months after the SFO confirmed a DPA with Güralp Systems Limited, its founder and two former employees were acquitted of charges of conspiring to bribe public officials.68 In December 2019, the SFO charged two former directors of Serco Geografix Limited, which had entered into a DPA with the SFO in July 2019,69 but these former directors are yet to be tried. This means that the SFO has so far failed to prosecute any individuals associated with the DPAs it has entered into.

In December 2018, the trial of three former executives from Tesco collapsed, with Sir John Royce, the judge in the last of these Tesco trials, going so far as to say that 'the prosecution case was so weak that it should not be left for a jury's consideration'. There has been criticism that the statement of facts entered into by Tesco, in its DPA with the SFO, can assert that the three former executives were 'aware of and dishonestly perpetuated the misstatement [of figures] . . . thereby falsifying or concurring in the falsification of accounts or records'70 and yet, when these assertions are tested in criminal court, they collapse, leaving the individuals with limited options for relief or recourse. The lawyers who defended John Scouler, former food commercial director at Tesco, noted: 'despite his acquittal, Mr Scouler finds himself labelled as culpable in a private agreement, but one which is now made public, which the SFO concluded with Tesco before the SFO's evidence was heard'.71 It remains to be seen how the SFO considers the need for actual convictions as part of the consideration for granting a DPA in the future.

Although there have not been any successful prosecutions of individuals associated with DPAs, the SFO has been successful in prosecuting some individuals, most notably in connection with London Interbank Offered Rate (LIBOR) or Euro Interbank Offered Rate (EURIBOR) rigging. For example, on 4 March 2020, the SFO secured the conviction and imprisonment of former bankers for manipulating EURIBOR.72 The former bankers also faced a fine for £1.2 million. The SFO recently concluded its long-running investigation into the LIBOR/EURIBOR scandal.

While there has been an increasing interest in the ability of the authorities to pursue cases against companies, the prosecution of individuals has continued to represent the greater part of the prosecutor's activities, including significant financial penalties and prison sentences. Legislative changes have made it easier for the authorities in the UK to prosecute companies, but these authorities all remain committed to the investigation and punishment of individuals.


i Extraterritorial jurisdiction

Any departure from the general presumption against the creation of extra-territorial liability must be expressly provided by the legislature;73 below is an overview of key examples of pieces of UK legislation containing corporate offence provisions with extra-territorial reach.

The BA 2010 has a wide territorial remit, covering offences that take place in the UK or overseas as long as the company is either UK incorporated or carries on a part of its business in the UK.74

Among other laws, POCA 2002 contains the UK's money laundering offences. Broadly speaking, the money laundering provisions aim to tackle the channels through which proceeds of criminal activity pass. In terms of jurisdictional reach, the location of the underlying criminal conduct is irrelevant; if the conduct would amount to a criminal offence in the UK, had it occurred there, then it will fall within the ambit of POCA 2002, subject to very limited exceptions.75 In addition, UK nationals, living overseas, can also be prosecuted for money laundering offences committed outside the UK.

The offence of failure to prevent the facilitation of tax evasion was introduced by the CFA 2017 and applies to both domestic and overseas tax evasion. Under the CFA 2017, companies are liable for the conduct of their associated persons who facilitate the evasion of either UK or overseas tax. For the UK tax evasion offence, the conduct can occur anywhere in the world; for the foreign tax evasion offence, the relevant body must either be incorporated in the UK, carry on business in the UK or the relevant conduct must have taken place in the UK. 'Relevant bodies' will be liable for failing to prevent the actions of their employees and other associated persons who criminally facilitate tax evasion.76 A 'relevant body' is a company or partnership, irrespective of jurisdiction of incorporation or formation.77 A 'person associated' with the relevant body is an employee, an agent or any other person performing services for or on behalf of that relevant body.78 To the extent the offence took place outside the jurisdiction, UK prosecutors need to prove, to the criminal standard, that both the taxpayer and the associated person committed an offence. Like the corporate offence under the BA 2010, the CFA 2017 provides companies with a defence where they can show that they had in place 'reasonable procedures' to prevent the offending.

With the increase of online criminal activity, the Crime (Overseas Production Orders) Act 2019, which came into force on 12 February 2019, will provide a useful basis for investigators and prosecutors that require quick access to electronic data (such as emails) situated outside the UK. However, the extra-territorial power will only be effective when there is a cooperation agreement in place between the UK and the jurisdiction where the holder of the data is located. At the time of writing, there is only one cooperation agreement in place which is between the UK, Northern Ireland and the US.79

ii International cooperation

The UK authorities work with their counterpart authorities in other jurisdictions in a variety of ways. Some 'formal' methods of cooperation are set out below, but it is not uncommon for international enforcement authorities to share information with their foreign counterparts through more informal channels of communication, relying on established relationships.80

Following the UK's exit from the EU on 31 January 2020, there is a degree of uncertainty regarding the future framework for international cooperation between the UK and Europe. Presently and during the UK's transition period (which is currently expected to last until 31 December 2020) the current framework remains in force, but it is not clear how negotiations will affect mechanisms for European cooperation and what will happen to the UK's access to EU criminal data bases and the operation of the European Arrest Warrant.

The UK has a number of statutorily created 'information gateways' that enable certain authorities to share and supply information with each other, internationally and domestically.

For instance, Section 68 of the Serious Crime Act 2015 permits public authorities to disclose information to other organisations to prevent fraud. Part XXIII of the FSMA 2000 allows for disclosure of information to enable the performance of a public function, and Part 9 of the Enterprise Act 2002 allows for the disclosure of information received by the CMA in certain circumstances, such as where it is disclosing that information to another authority for the purposes of criminal proceedings.

Typically, authorities may enter into memorandums of understanding (MOUs) with domestic and overseas authorities that have a similar remit. MOUs tend to explicitly set out available gateways that may be relied on and provide guidance as to how the information is transferred. For example, the PRA and FCA have entered into a number of MOUs with equivalent authorities in other jurisdictions, such as the MOU between the Dubai Financial Services Authority and the PRA, dated 12 June 2014,81 and the MOU between the US Commodity Futures Trading Commission and the FCA, dated 6 October 2016.82

Multilateral and bilateral mutual legal assistance (MLA) treaties are a form of cooperation between different countries that allow for the collecting and exchanging of information.83

Authorities may request and provide evidence located in one country to assist in criminal proceedings or investigations in another.84 The UK has signed a number of multilateral and bilateral MLA treaties, such as the bilateral agreement with the US in 1994.85 Cross-border criminal investigations often involve suspects that reside outside the jurisdiction in which the investigation is being conducted. UK extradition is governed by the EU Framework Decision,86 implemented through the Extradition Act 2003.87 In the UK there are two forms of extradition: export extradition, which relates to a request by another state for the extradition of someone from the UK; and import extradition, which relates to a request to another state for the extradition of a person to the UK.88

A number of bars to extradition exist, including the 'forum bar', which provides that extradition may be barred if it would not be in the interests of justice.89

iii Local law considerations

Data privacy

The UK remains subject to the EU's General Data Protection Regulation (GDPR) until 1 January 2021.90 The GDPR has extra-territorial application to organisations that monitor behaviour of individuals that takes place within the EU, or to organisations offering services or goods to individuals in the EU. The government of the UK has issued its own version of the GDPR, namely the United Kingdom General Data Protection Regulation (the UK-GDPR), which took effect on 31 January 2020, and does not contain any significant differences to the GDPR.91

The GDPR imposes strict data protection obligations and prohibits the transfer of personal data from the UK to a location outside the European Economic Area (EEA) unless the recipient, jurisdiction or territory is able to ensure a UK-equivalent level of protection. As it stands, the European Commission has determined that only a few countries provide 'adequate' levels of protection, while many other countries, such as the US, fall short of the standard.92 This means organisations operating in the UK may be limited in their ability to transfer personal data into various non-EEA territories.

July 2016 saw the adoption of the EU–US privacy shield adequacy decision (the Privacy Shield).93 The Privacy Shield requires US companies to protect EU citizens' personal data in accordance with particular standards; for instance, limiting the conditions for onward transfer of data to third parties, as well as transparency obligations on access by the US government.94 However, a recent review carried out by the European Data Protection Board (EDPB) noted that areas requiring significant improvement remain, which the EDPB considers both the Commission and US authorities should address.95 Particular areas of concern include the absence of substantial checks, the application of Privacy Shield requirements regarding onward transfers and human resources data and processors.96

Legal professional privilege

Legal professional privilege has been a heavily litigated issue in recent years. England and Wales recognises two forms of legal professional privilege, in respect of both in-house and external counsel:

  1. 'litigation privilege', which attaches to communications passing between a lawyer and a client, and also between a lawyer or client and a third party (such as a forensic accountant), for the sole or dominant purpose of preparing for adversarial litigation.97 The litigation can either be in progress or in contemplation, and includes civil and criminal litigation98; and
  2. 'legal advice privilege', which attaches to confidential communications passing between lawyer and a client for the purposes of giving or receiving legal advice. It will not usually apply to communications between a company and its own employees in the context of an investigation.

The meaning of 'client' was discussed in detail in Three Rivers No. 5 [2003] EWCA Civ 474, yet the ratio of the case has been inconsistently understood and, although it has been recently criticised,99 Three Rivers No. 5 remains the leading authority in this respect. The concept of 'client' in a corporate context was considered again in The RBS Rights Issue Litigation, in which Hildyard J held that interview notes produced by lawyers during the course of an internal investigation were not protected by legal advice privilege.100 Hildyard J understood the Three Rivers No. 5 decision as establishing the principle that the 'client', for the purposes of a lawyer–client communication protected as legal advice privilege, must be someone who is authorised to seek and receive legal advice.101

This approach was followed by Andrews J in the first-instance decision in ENRC.102 On appeal, the court held that whether Three Rivers No. 5 was correctly decided regarding the nature of a 'client' was a matter for determination by the Supreme Court.103 The court did indicate, however, that there was 'much force' in the submissions that if Three Rivers No. 5 did lay down a restrictive interpretation of 'client', then it was wrongly decided.104 The court said that 'if, therefore, it had been open to us to depart from Three Rivers (No. 5), we would have been in favour of doing so'.105 Hickinbottom LJ also had sympathy for this position in a recent Court of Appeal judgment and, while he felt 'disinclined' to follow Three Rivers No.5, he stated that he was ultimately bound to do so.106

Year in review

In January 2020, Transparency International released its annual Corruption Perception Index, in which the UK remained out of the top 10 for public sector transparency for the second year in a row. The Chief Executive of Transparency International UK commented that: 'These results are a stark reminder that there is no room for complacency in the fight against global corruption. While the UK made some significant strides to tackle dirty money in recent years, it is deeply concerning to see its score relating to perceived public sector corruption stagnating. The new Government now has an opportunity to pull the UK back into the top 10. To do so it will need considerable ambition that will put anti-corruption front and centre of public policy both at home and abroad.'107

Boris Johnson's election victory on 12 December 2019 brought to an end the uncertainty over the UK's withdrawal agreement, more than three years after the referendum decision to leave the EU, in June 2016. The UK officially left the EU on 31 January 2020 and has now entered into a transition period that is expected to end on 31 December 2020. Since then, the global outbreak of covid-19 and the subsequent lockdown in the UK has left no opportunity to introduce and debate any new legislative initiatives to tackle corruption.

In contrast to the previous financial year, the SFO had a busier year in 2019/2020; albeit with mixed fortunes once again. Lisa Osofsky has had success with DPAs, with three settlements, including a record-breaking settlement with a major manufacturer of commercial jets. Together, the DPAs with Serco Geografix Limited, Güralp Systems Limited and the major manufacturer of commercial jets have seen receipt of nearly £25 million in financial penalties and costs; with over €400 million to be paid by the major manufacturer of commercial jets in fines and costs and a further €586 million in disgorgement, as part of its settlement.108

The DPA between the SFO and Tesco plc also came to a successful conclusion in April 2020, with all of its obligations during the three years of its agreement completed, including the implementation of an ongoing compliance programme. This provided some evidence for the merits of a well-structured and considered DPA regime.

As previously referred to, the SFO issued its much-anticipated Corporate Co-operation Guidance, in August 2019, setting out, in substantial detail, the steps that the SFO expects corporations to undertake to be eligible for cooperation credit when the SFO makes charging decisions, including guidance relating to whether a DPA would be appropriate.109 The SFO also updated its Operational Handbook for evaluating the effectiveness of compliance programmes in January 2020, providing further guidance to companies on what the SFO assesses during its investigations.110

By contrast, the acquittal of three Barclays executives in March 2020, following the dismissal of charges against the bank back in May 2018 and against John Varley, former CEO of Barclays, in April 2019, is a significant blow to the SFO. The dismissal of the charges against the bank has led to renewed calls for further governmental consideration of the law of corporate criminal liability.

The use of unexplained wealth orders has amassed further criticism over the last year. The Kazakh family recently won their challenge against the NCA in the High Court regarding three high-value London properties. Deciding against the NCA, the court held that the properties were legally owned and the NCA's assumptions were 'mistaken' and 'unreliable'.111 The defeat 'highlighted major weaknesses in the UK's defences against dirty money that should be addressed urgently'.112

In May 2019, the government published its response to the House of Lords Select Committee's post-legislative scrutiny report on the BA 2010. The response was on the whole non-committal, and largely noted the views of the House of Lords. However, in response to the Lords' concern regarding the SFO's slowness in bribery investigations, the government stated: 'their current Director has emphasised that speeding up the pace of their investigations is a key priority for the organisation. Accordingly, the SFO's Business Plan for 2019/20 outlines how SFO will speed up fraud and bribery investigations. The plan focuses on the delivery of four key priorities around: Operations, People, Stakeholders and Technology . . . Technology priorities include enhancing the use of Artificial Intelligence, predictive analysis and a new document and case management system to improve the management and review of the vast quantities of evidential material they collect'.113 No doubt the implementation of this Business Plan will be watched carefully over the coming year.

The Council of Ministers adopted the long-awaited EU Whistleblower Directive in September 2019. This rectifies what had been fragmented protection for whistle-blowers throughout the EU and guarantees a high level of protection for whistle-blowers who report breaches of EU law, including prohibition of all forms of retaliation and protecting confidential whistle-blowing. All 27 Member States will have until 2021 to comply and put the provisions into national law. However, at this stage the UK government has stated it will not implement the EU Whistleblower Directive but is committed to reviewing the UK's whistle-blowing framework 'once the recent reforms have built the necessary evidence of their impact. As part of this we will look at the protections offered in other countries'.114

Following the collapse of businesses such as Flybe and Patisserie Valerie, the FRC continues to come under criticism for its apparent weakness compared to other regulators and recent research has called for firmer action to hold companies and their auditors to account. The FRC strategy for 2020/21 calls for further progress to be made in the FRC's transition to the new regulatory body, the Audit, Reporting and Governance Authority, which will provide a new interventionist mandate to try to breach the delivery gap between what auditors say they will do and what they actually do, new leadership and stronger statutory powers. The Chief Executive of the FRC, Sir Jonathan Thompson, stated: 'The strategy builds a bolder, more forceful regulator that will act with pace in supervising and holding companies to account'.115 Only time will tell whether the reality matches the rhetoric.

Conclusions and outlook

Brexit was expected to remain at the forefront of political debate in the coming year, especially since the UK has now left the EU and entered into a transition period, following which EU laws and directives will no longer be legally enforceable in the UK. However, the global outbreak of covid-19 has instead dominated politics, leaving little political time or energy for new initiatives to tackle bribery, corruption and economic crime.

The covid-19 pandemic has also resulted in major delays in the English courts, with jury trials severely disrupted in a way that will likely have a lasting effect on the English courts' timetable in the years to come.

The government has called for regulatory bodies such as the SFO and NCA to focus and do more to fight corruption and economic crime. Given the difficulties these bodies have faced over the last year, it remains to be seen whether they will be able to fulfil those expectations.



1 Stuart Alford QC is a partner and Mair Williams and Harriet Slater are associates at Latham & Watkins. The authors would like to acknowledge the kind assistance of their colleague, Alayna Kenney, in the preparation of this chapter.

2 For instance, the Bribery Act 2010, which introduced a corporate offence of 'failure to prevent bribery'.

3 The SFO was created by and derives its investigatory powers from the Criminal Justice Act 1987 (CJA), which include powers to request the production of documents and the answering of questions.

4 The CMA's powers are largely drawn from the CA 1998 itself.

5 The FCA's investigatory powers are derived from the Financial Services and Markets Act 2000.

6 HMRC's investigatory powers are derived from the Finance Act 2009 (civil) and the Police and Criminal Evidence Act 1984 (criminal).

7 The OFSI's powers come from the Policing and Crime Act 2017.

8 The prosecuting powers of the CPS (and the SFO and FCA) are governed by the Code for Crown Prosecutors, which was updated in 2018 (available at:

9 The National Crime Agency was created by the Crime and Courts Act 2013. The NECC started operations on 31 October 2018.

10 The law of privilege in England and Wales has been the subject of a number of court challenges in recent years (see Section IV.iii).

11 DPAs are not available for individuals.

12 Principle 11: Relations with regulators, PRIN 2.1, the FCA Handbook (available at:

14 DISP 1.10, the FCA Handbook (available at: html).

15 SUP 16, the FCA Handbook (available at: SUP/16/?view=chapter).

16 MAR Schedule 2, the FCA Handbook (available at: Sch/2/2.html).

17 OFT and CMA Penalty Guidance and criminal immunity provided by Section 190(4) of the Enterprise Act 2002.

18 CMA, 18 April 2018, 'CMA's guidance as to the appropriate amount of a penalty' (available at:

22 It was noted that without self-reporting, Rolls-Royce was only considered for a DPA because of its 'exemplary' cooperation (available at: reporting-after-rolls-royce-is-it-worth-it).

24 Section 328(1), POCA 2002.

25 e.g., Section 328(1), POCA 2002.

27 R (on the application of AL) v. Serious Fraud Office [2018] EWHC 856 (Admin).

28 Code of Practice on Deferred Prosecution Agreements (available at:

30 Speech by Alun Milford, then SFO General Counsel, at GIR London Live, on 27 April 2017 (reported by GIR on 27 April 2017) and Speech by Alun Milford, then SFO General Counsel, at the Cambridge Symposium on Economic Crime 2017, Jesus College, Cambridge.

31 ibid., and interview with The Times, published 27 August 2014, David Green QC, then director of the SFO (available at:

32 Lisa Osofsky took up the role of SFO director on 28 August 2018.

35 id., at p. 32.

36 Director of the SFO v. Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 QB.

37 Similar to an Upjohn warning given in the United States.

38 This section deals with workplace-based whistle-blowing. The UK Code of Practice for Victims of Crime and the Witness Charter provides protection outside the context of the workplace for whistle-blowers.

39 Section 43K(1)(a)(ii)) PIDA 1998.

40 IDS Employment Law Handbooks – Volume 14 – Whistleblowing at Work – Chapter 3 – Qualifying disclosures; Cavendish Munro Professional Risks Management Ltd v. Geduld [2010] ICR 325, EAT; and Kilraine v. London Borough of Wandsworth [2018] ICR 1850, CA.

41 Since June 2013, the disclosures no longer need to be made in good faith in order to be protected.

47 The FRC regulates the audit industry in the UK.

49 Ministry of Justice Guidance about procedures that relevant commercial organisations can put into place to prevent persons associated with them from bribing, at Paragraph 1.7.

53 Certain statutory offences may refine the general common law rule and specify different rules of attribution or require a different application of the rules in a particular case.

54 See FSMA 2000.

55 FCA website, '2019 fines' (available at:

56 ibid.

57 FCA, The Decision Procedure and Penalties Manual, DEPP 6 (available at:

58 CA 1998.

59 Section 36(8) of the CA 1998 and Section 4 of the CA 1998 (Determination of Turnover for Penalties) Order 2004, SI 2000/309.

60 Sections 31E and 34 of the CA 1998.

61 Deferred Prosecution Agreements – Code of Practice, the Crown Prosecution Service (available at:

62 Code of Practice on Deferred Prosecution Agreements (available at:

63 See Monetary Penalties for Breaches of Financial Sanctions Guidance, Office of Financial Sanctions Implementation HM Treasury.

65 The Crown Prosecution Service, 'Guidance on Corporate Prosecutions' (available at:

66 ibid.

71 Tesco bosses' trial collapse puts plea bargain in dock; Retail & consumer. Courtroom drama Chain criticised for 'throwing executives under the bus' over accounting scandal', Financial Times (Jane Croft and Jonathan Eley), 24 January 2019, p. 17,

73 ibid.

74 Section 7 of the BA 2010 applies to any 'relevant commercial organisation' that Section 7(5) of the BA 2010 defines as:

a a body incorporated under the law of any part of the UK and that carries on a business (whether there or elsewhere), or any other body corporate (wherever incorporated) that carries on a business, or part of a business, in any part of the UK; or

b a partnership formed under the law of any part of the UK and that carries on a business (whether there or elsewhere), or any other partnership (wherever formed) that carries on a business, or part of a business, in any part of the UK.

75 As confirmed by R v. Rogers [2014] EWCA Crim 1680.

76 The Law Society Practice Note, 4 January 2019 (available at:

77 Sections 44(2) and (3) of the CFA 2017.

78 Section 44(4) of the CFA 2017.

80 'Enhancing international cooperation in the investigation of cross-border competition cases: tools and procedure', Note by the UNCTAD secretariat, 5–7 July 2017 and 'The serious business of fighting fraud', SFO Speeches, 19 January 2017.

84 ibid.

85 Treaty between the United States of America and the United Kingdom of Great Britain and Northern Ireland on Mutual Legal Assistance in Criminal Matters, signed at Washington, 6 January 1994.

86 2002/584/JHA.

87 Extradition Act 2003 (Designation of Part 1 Territories) Order (SI 2003/3333).

88 Parts 1 and 2 respectively of the Extradition Act 2003.

89 Sections 19B (Part 1 cases) and 83A (Part 2 cases), Extradition Act 2003; not in force in Scotland.

90 Regulation (EU) 2016/679.

91 The United Kingdom General Data Protection Regulation.

92 Page 6, 'Data Privacy and Transfers in Cross-Border Investigations', The Investigations Review of the Americas 2020.

93 Page 1, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–US Privacy Shield, OJ L 207, 1 August 2016.

94 ibid.

95 European Data Protection Board EU–US Privacy Shield – Third Annual Joint Review, adopted on 12 November 2019.

96 Paragraph 25, P7, European Data Protection Board EU–US Privacy Shield – Third Annual Joint Review, adopted on 12 November 2019.

97 The Civil Aviation Authority v. Jet2.Com Ltd [2020] EWCA Civ 35.

98 Director of the SFO v. Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 QB.

99 Raiffeisen Bank International AG v. Asia Coal Energy Ventures Limited & Anor [2020] EWCA Civ 1; The Civil Aviation Authority v. Jet2.Com Ltd [2020] EWCA Civ 35.

100 Re The RBS Rights Issue Litigation [2016] EWHC 3161.

101 ibid.

102 [2017] EWHC 1017 (QB).

103 [2018] EWCA Civ 2006, Paragraph 59.

104 ibid., Paragraph 124.

105 ibid., Paragraph 130.

106 Raiffeisen Bank International AG v. Asia Coal Energy Ventures Limited & Anor [2020] EWCA Civ 1; The Civil Aviation Authority v. Jet2.Com Ltd [2020] EWCA Civ 35.

111 National Crime Agency v. Baker & Ors [2020] EWHC 822 (Admin).

Get unlimited access to all The Law Reviews content