All questions


The law on corporate criminal attribution in England and Wales has historically made it difficult to hold entities to account for the actions of their employees. Driven by developments in certain areas of criminal law,2 increasingly aggressive enforcement in sectors such as financial services, and increasing public demands for corporate accountability, the nature and scope of corporate investigations have been steadily growing.

Several bodies have responsibility for various aspects of corporate investigations:

  1. the Serious Fraud Office (SFO) investigates and prosecutes the most serious cases of fraud and other economic crimes in the United Kingdom (UK). This includes lead-agency responsibility for enforcing the Bribery Act 2010 (the BA 2010);3
  2. the Competition and Markets Authority (CMA) is the main competition regulator and is responsible for enforcing the Competition Act 1998 (the CA 1998) and the Enterprise Act 2002;4
  3. the Financial Conduct Authority (FCA) is both a prosecuting body and the regulator of financial institutions, with responsibility for maintaining the integrity of the UK financial markets, including the investigation of financial sector crimes, such as market abuse and insider dealing;5
  4. Her Majesty's Revenue and Customs (HMRC) investigates tax and revenue-related offences with wide-ranging civil and criminal investigatory powers;6
  5. the Office of Financial Sanctions Implementation (OFSI) implements the UK sanctions regime;7
  6. the Crown Prosecution Service (CPS) prosecutes cases investigated by the police forces of England and Wales,8 as well as on behalf of HMRC and the CMA (which have only investigatory powers and no prosecuting authority);9 and
  7. the National Crime Agency (NCA), which includes the National Economic Crime Centre (NECC),10 coordinates and assists the work of the other agencies and the police in the investigation and prosecution of economic crime.

These bodies have a range of powers to enforce the legislation applicable within their remits. These powers include the ability to execute search warrants and to file compulsory production notices for the production of documents in certain cases. Some of these powers can only be exercised with a court order, some have to be exercised with the assistance of the police and others are wholly in the control of the agencies themselves (determined by the statutory powers by which they are established).

The ability and extent of the bodies' powers to obtain material has been the subject of a number of important challenges through the courts in recent years, which will be discussed further below. Corporations are not permitted to withhold documents from the authorities on the grounds of client confidentiality and data privacy, and must hand over any materials requested by such notices and orders, except when legal privilege applies.11 In England and Wales, failure to comply with a lawful production order is a separate criminal offence.


i Self-reporting

A corporate's approach to self-reporting in England and Wales must be considered against a broad spectrum of factors, which include the nature of the issue, the prospect of enforcement activity, the benefits of cooperation with authorities, the industry sector in which the corporate operates and the supervisory regime applicable to the corporate. Although there is no obligation to self-report most criminal conduct, there are notable exceptions for those operating in regulated sectors such as financial services. The decision whether to self-report will need to take into account this wide range of factors, as well as the possibility of enforcement actions in other jurisdictions (which will be subject to their own decision in respect of self-reporting). Such decisions will usually be taken with the assistance of legal counsel.

The FCA's principles of openness create an expectation that the entities they regulate will self-report issues.12 The regulator has regularly made clear that it regards self-reporting to be a key part of the open and cooperative relationship it expects of its regulated entities.13 Within its guidance, the FCA mandates a large number of reporting requirements, including reporting in relation to complaints,14 accounts15 and market abuse.16 The principle of openness has, on several occasions, been the basis for fining firms for failing to adequately self-report. On 31 March 2021, the FCA published a policy statement17 confirming its decision to extend its requirements to include more entities within the scope of the annual financial crime data reporting obligation (REP-CRIM). The FCA explained that this decision increases the number of firms that must submit a REP-CRIM return from around 2,500 to around 7,000. Firms being brought into scope are required to submit their first REP-CRIM within 60 business days of their first accounting reference date falling after 30 March 2022. The FCA believes that the data it gathers via these returns will help it to better identify financial crime risks, trends and emerging issues. The data will also help it to more accurately risk-rate firms and target its specialist resources. One outcome will be fewer visits to firms posing lower risks, which the FCA recognises is an unnecessary burden for those firms and an inefficient use of its resources.

The CMA takes a more discretionary approach to self-reporting, but one based on an explicit framework for the recognition of reporting.18 The leniency programme is designed to encourage companies that have been involved in wrongdoing to proactively cooperate with the CMA. To encourage self-reporting, the CMA offers a sliding scale of leniency ranging from total immunity to reduced financial penalties, depending on the timing of the self-reporting.19 As with most self-reporting regimes, the earlier the report is made, the more lenient the authority will be.

Although not as structured as the CMA scheme, a similar incentive-based self-reporting approach is taken by the SFO and the CPS. The SFO's policy on corporate self-reporting states that self-reporting will be a key factor in its deciding whether to prosecute.20 Initially the SFO had indicated that only companies that self-reported would be eligible for a deferred prosecution agreement (DPA),21 but Rolls-Royce,22 Tesco23 and, more recently, Amec Foster Wheeler24 all secured DPAs without self-reporting. On 23 October 2020, the SFO published its detailed guidance25 on the DPA chapter of its Operational Handbook, which introduced 'suggested' terms for DPAs that SFO investigators were encouraged to use when negotiating DPAs. These terms emphasised the need for self-reporting of any misconduct that comes to a corporation's attention during the course of a DPA, as well as requiring SFO approval for any sale or merger of the corporation while a DPA is in effect.

An additional but discrete layer of strict self-reporting is required under the Proceeds of Crime Act 2002 (the POCA 2002). The POCA 2002 legislates for a number of criminal money laundering offences, including being concerned in an arrangement that the person knows or suspects facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person.26 Voluntary self-reporting through an authorised disclosure (a suspicious activity report) may be used as a defence to such an offence.27 Although self-reporting is not compulsory for non-regulated persons, it is a criminal offence for a regulated person – who has reasonable grounds for knowing or suspecting that another person is engaged in money laundering – to fail to report such knowledge or suspicion.

ii Internal investigations

Both international and domestic companies are increasingly using internal investigations as a way of mitigating risk, as well as honouring regulatory obligations. A company can no longer consider it a viable option to turn a blind eye to any allegations or suspicions that it receives about its business operations, and an internal investigation is a common first step in dealing with potential issues.

Legal professional privilege is an issue related to internal investigations that has received significant attention in the past few years. In England and Wales, internal legal counsel enjoy the same legal privilege as external counsel, so instructing external counsel may not offer the advantage, in this respect, that it does in other jurisdictions. The extent of that privilege is set out in the case of Director of the SFO v. Eurasian Natural Resources Corporation Limited,28 which remains the current law in this regard.

iii Whistle-blowers

The Public Interest Disclosure Act 1998 (the PIDA 1998) sets out market-wide protection for whistle-blowers.29 The PIDA 1998 has a significantly broader definition of 'worker' than the Employment Rights Act 1996, which includes employees, employee shareholders and agency workers.30 Should an employer dismiss a worker for the reason (or principal reason) that the employee made a 'protected disclosure', this dismissal will automatically be unfair.31 Further, if an employer subjects an employee to any detriment for making a protected disclosure, the employee could also have a distinct claim for detriment up to the date the employee was dismissed. Detriment can include damaged career prospects, docking of pay, loss of work or disciplinary action.

On 8 September 2019, the Council of Ministers adopted the EU Whistleblower Directive (the Directive),32 which grants greater protections to individuals who report any breach of EU law. While the Directive is to be treated as a floor for unified protections across the EU, countries can further strengthen their own regimes as they wish. The UK did not implement the Directive prior to its exit from the EU, but many of the protections underpinning it already exist in legislation such as the PIDA 1998. The Directive is nevertheless relevant for companies with operations in continental Europe that need to have regard to its provisions to maintain a single unified whistle-blowing framework.

The second report of the UK All Party Parliamentary Group (APPG) for Whistleblowing, published in July 2020,33 highlighted a 'historically low success rate' of 12 per cent for whistle-blowing claims and recommended revising the current law and creating an Independent Office of the Whistleblower (IOW). Mary Robinson, chair of the APPG for Whistleblowing, proposed a Whistleblowing Bill on 26 April 2022, which, if enacted, would establish an IOW as well as strengthen protections for whistle-blowers.34

The financial services sector has developed a more rigorous whistle-blower regime than that created under the PIDA 1998. The current regime applies to around 8,000 companies operating in the financial services sector, but this could increase to an estimated 55,000 companies once the regime is widened.35 From April 2020 to March 2021, the FCA managed and assessed 1,046 whistle-blower reports, which included 2,754 separate allegations.36 In March 2021, the FCA launched a campaign, 'In confidence, with confidence', to encourage individuals working in financial services to report potential wrongdoing.37 Data published by the FCA for Q3 and Q4 of 2021 suggests that the campaign has not yet resulted in an increase in whistle-blower reports, with 568 reports received over this six-month period.38

The Financial Reporting Council (FRC),39 which is responsible for setting UK standards of corporate governance, includes, within the UK Corporate Governance Code 2018, a principle that '[t]here should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously.'40 This Code, however, operates on a 'comply or explain' basis, so listed companies are not obliged to have a whistle-blowing policy in place, even if it is good practice.

Similarly, the Ministry of Justice (MOJ) suggests that having proportionate whistle-blowing procedures41 may be an important part of asserting an 'adequate procedures' defence to the offence of failing to prevent bribery under Section 7 of the BA 2010 and the British Standards Institution outlines whistle-blowing procedures as part of its published standard for Anti-Bribery Management Systems.42


i Corporate liability

In general, a corporate employer is vicariously liable for its employees' tortious acts if this would be fair and just. Two recent Supreme Court decisions provide some clarification on the question of an employer's liability for rogue employees' acts. In WM Morrison Supermarkets plc v. Various Claimants,43 the Supreme Court held that Morrisons was not vicariously liable for the actions of an employee who, without authorisation and in a deliberate attempt to harm his employer, uploaded payroll data to the internet using personal equipment at home. This decision provides welcome confirmation for employers that they will not always be liable for data breaches that rogue employees commit. In Barclays Bank plc v. Various Claimants,44 the Supreme Court, overturning a Court of Appeal decision, held that Barclays was not vicariously liable for the acts of a self-employed medical practitioner who was alleged to have committed sexual assaults while carrying out medical assessments of the bank's prospective employees. However, the decision noted that a person can be held vicariously liable for the acts of someone who is not their employee, provided the relationship between them is sufficiently akin to employment. If the employees' acts are within the ordinary course of their employment, this will usually suffice for the employer to incur vicarious liability.

By contrast, corporate criminal liability is most often only established if a criminal offence imposes strict liability and the state of mind of the company (acting through its employee) does not need to be established. In addition, there are a growing number of statutory offences that create a corporate liability, such as the offence of 'failure to prevent bribery' under Section 7 of the BA 2010, which is discussed further below.

Apart from those offences that create a direct corporate liability, companies will only otherwise be liable for offences requiring proof of a criminal state of mind by application of the 'identification principle'. The identification principle imputes, to the company, the acts and state of mind of the individuals who represent the 'directing mind and will' of the company. This is much more narrow than the basis of attribution in the US, for instance, where a company can be liable for the actions of its agents and employees when they act within the scope of their employment and, at least in part, to benefit the company (which is more akin to the basis for civil liability in England and Wales).

The BA 2010 introduced a new approach to establishing corporate criminal liability in the UK. It legislates for bribery offences committed in the UK and abroad by individuals and companies. Section 7 of the BA 2010 creates the offence of failure to prevent bribery, which can be committed by a corporate entity only. It first requires that a person associated with the company has committed an offence under Sections 1 or 6 of the BA 2010 or would have done if they were within the territorial scope of the BA 2010. A person is 'associated with' the company if they perform services for or on behalf of the organisation in any capacity. This is, therefore, not confined to employees but can also cover third parties such as agents and independent contractors. Secondly, Section 7 of the BA 2010 requires that the person who committed the offence to have intended either to obtain or retain business or an advantage in the conduct of business for the company. Knowledge on the part of the company is not required. Section 7 of the BA 2010 has a broad territorial scope and applies not only to UK-incorporated companies, but also to those that carry on a business or part of a business in the UK. The BA 2010 provides a complete defence to the corporate offence of failure to prevent bribery, if the company had in place adequate procedures designed to prevent acts of bribery by persons associated with it at the time of the alleged conduct (this is discussed in more detail below).

On 4 October 2021, following a guilty plea under Section 7 of the BA 2010, Petrofac Limited was sentenced to pay £77 million for seven counts of failure to prevent bribery between 2011 and 2017.45 This fine, the largest imposed on a company under the BA 2010, came after a four-year investigation by the SFO into cross-border corruption at the Petrofac Group and was accompanied by the conviction of David Lufkin, the group's former head of sales, of 14 counts of bribery contrary to Section 1(1) and 1(2) of the BA 2010, after he had agreed to give evidence of the wrongdoing to the SFO.

ii Penalties

Corporations considered liable for corporate misconduct can suffer penalties ranging from a minor fine to a substantial financial penalty and severe criminal consequences from a selection of prosecuting bodies.

The Financial Services and Markets Act 2000 (the FSMA 2000) grants the FCA the power to impose a variety of sanctions ranging from public censure to revocation of FCA authorisations and large regulatory fines.46 In 2020, a number of notable fines were associated with breaches of the FCA's Principles for Business.47 Credit Suisse International, Credit Suisse Securities (Europe) Ltd and Credit Suisse AG, for example, were fined £147,190,200 for financial crime and anti-bribery and corruption failings in the investment banking sector.48 The FSMA 2000 also grants the FCA the power to bring criminal prosecutions for the purpose of tackling financial crime such as investigations for insider dealing pursuant to the Criminal Justice Act 1993, and breaches of the recently enacted Sanctions and Anti-Money Laundering Act 2018. The FCA's Decision Procedure and Penalties Manual sets out a non-exhaustive list of the factors that the FCA considers before issuing a penalty, which includes looking at the nature, seriousness and impact of the suspected breach, the conduct after the breach and previous disciplinary record and the compliance history of the person in question. The FCA will also consider 'the full circumstances of each case' when determining whether to impose a penalty.49

The CMA also has a range of criminal and civil legislative powers it can exercise with regard to competition law infringements. The CMA can impose fines for breach of the CA 1998 if the CMA is satisfied an infringement has either been intentionally or negligently committed.50 The most notable fine that the CMA can impose is an amount up to 10 per cent of a firm's worldwide turnover in the business year that precedes the date of the CMA's decision.51

The CMA can also agree terms of settlement and the making of commitments.52 Settlement allows early resolution of investigations by way of a voluntary process if a business under investigation by the CMA for a breach of competition law admits a breach and accepts a streamlined version of the process that will govern the remainder of the CMA investigation. In return for its cooperation and an admission of wrongdoing, the business will gain a reduction in any financial penalty that the CMA imposes.

The SFO has the power to prosecute in cases involving serious or complex fraud, bribery and corruption. Alternatively, the SFO may consider inviting a company to enter into a DPA, which is supervised by a judge and governed by the DPA Code published by the SFO and the CPS, which states that the SFO's role is as a prosecutorial authority and that DPAs are for use only in exceptional circumstances.53 Successful completion of a DPA means a company can avoid a criminal conviction.

Individuals prosecuted and convicted by these agencies can be sentenced to pay fines, compensation and court costs and may receive prison sentences if the offences are serious enough. In addition, individuals may be disqualified from holding directorships in the UK.

iii Compliance programmes

Both the CMA and the FCA publish a variety of documents to assist companies in meeting their compliance obligations, including annual plans and a great deal of guidance in the run-up to and following Brexit.

As described above, the BA 2010 provides a defence to the Section 7 offence, if a commercial organisation can show on the balance of probabilities that it had in place adequate procedures designed to prevent bribery. The MOJ has provided guidance on what may be considered to constitute adequate procedures for the purposes of the defence, although, ultimately, what constitutes adequate procedures will be determined by the courts.54

The BA 2010 adequate procedures defence was tested for the first time in the case of R v. Skansen Interiors Limited.55 The case concerned two bribes that had been paid to an employee managing the tender for an office refurbishment by Skansen Interiors Limited (SIL), a small refurbishment company. When a new chief executive officer took over at SIL and learned about the payments that had been made, he initiated an internal investigation and established an anti-bribery and corruption policy. SIL then submitted a suspicious activity report to the NCA.

The question for the jury was whether SIL had adequate procedures in place. SIL argued, inter alia, that its policies and procedures were proportionate to its size – it was a very small business operating out of a single open-plan office; its business was very localised, removing the need for more sophisticated controls; it was 'common sense' that employees should not pay bribes; the ethos of the company was one of honesty and integrity; and a company of its size did not need a more formal policy. The jury did not agree and returned a guilty verdict.

iv Prosecution of individuals

The CPS and the SFO also look to prosecute individuals for financial crime when a business is prosecuted within England and Wales. The Guidance on Corporate Prosecutions states that the prosecution of a company should not be seen as a substitute for the prosecution of criminally culpable individuals such as directors, officers, employees or shareholders of the offending company.56 The prosecution of individuals in circumstances involving corporate misconduct is viewed as essential in providing a strong deterrent against future corporate wrongdoing.57

When proceedings or enforcement actions are launched against individuals, the company involved must be conscious of its obligations towards its employees. Often, corporates will suspend the individuals suspected of wrongdoing for the duration of any investigations; however, any suspension must be deemed to be fair and reasonable. Individual employees may be entitled to support from their employer company by means of assistance with legal fees in the event of any investigations, although currently there is no statutory requirement for this. Alternatively, some employees may be entitled to some form of officer liability insurance, which can provide cover for the duration of an investigation or trial. Given the scale and cost of government investigations to date, this has become the norm in larger companies.

Recently there has been attention on the SFO's mixed success in prosecuting individuals connected to companies that are the subject of criminal proceedings. For example, in December 2019, the SFO charged two former directors of Serco Geografix Limited, which had entered into a DPA with the SFO in July 2019.58 On 26 April 2021, the case collapsed after facts emerged indicating that the SFO erred when disclosing documents, which jeopardised the fairness of a trial.59 This means that the SFO has so far failed to prosecute any individuals associated with the DPAs it has entered into since they were introduced in 2014. However, the upcoming fraud trial of three former executives of G4S, with which a DPA was concluded in July 2020, gives the SFO an opportunity to reverse this trend. Separately, the SFO succeeded in convicting Stephen Whiteley and Basil Al Jarah in connection with the Unaoil bribery case, in July 2020 and October 2020 respectively, and Julio Faerman in connection with Brazil's 'Operation Car Wash' scandal, in November 2020. More recently, in October 2021, Petrofac Limited's former Head of Sales, David Lufkin, was sentenced to two years' imprisonment for bribery offences in relation to oil and gas contracts in the Middle East.60 Mr Lufkin's sentence was suspended for 18 months on account of his extensive cooperation with the SFO, including giving a series of interviews under caution and signing seven statements, without which the conviction of his employer, discussed in Section III.i, would not have been possible.


i Extraterritorial jurisdiction

Any departure from the general presumption against the creation of extraterritorial liability must be expressly provided by the legislature;61 below is an overview of key examples of pieces of UK legislation containing corporate offence provisions with extraterritorial reach.

The BA 2010 has a wide territorial remit, covering offences that take place in the UK or overseas as long as the company is either UK incorporated or carries on at least a part of its business in the UK.62

Among other laws, the POCA 2002 contains the UK's money laundering offences. Broadly speaking, the money laundering provisions aim to tackle the channels through which proceeds of criminal activity pass. In terms of jurisdictional reach, the location of the underlying criminal conduct is irrelevant; if the conduct would amount to a criminal offence in the UK, had it occurred there, then it will fall within the ambit of the POCA 2002, subject to very limited exceptions.63 In addition, UK nationals, living overseas, can also be prosecuted for money laundering offences committed outside the UK. The Home Office published a consultation (which ran from 28 January 2021 to 19 March 2021) to obtain feedback on potential changes to the bodies to which the POCA 2002 grants certain financial investigatory powers, including those extending to money laundering investigations. At the time of writing, the outcome of the public feedback is yet to be released.

The offence of failure to prevent the facilitation of tax evasion was introduced by the Criminal Finances Act 2017 (the CFA 2017) and applies to both domestic and overseas tax evasion. Under the CFA 2017, companies are liable for the conduct of their associated persons who facilitate the evasion of either UK or overseas tax. For the UK tax evasion offence, the conduct can occur anywhere in the world; for the foreign tax evasion offence, the relevant body must either be incorporated in the UK, carry on business in the UK or the relevant conduct must have taken place in the UK. 'Relevant bodies' will be liable for failing to prevent the actions of their employees or other associated persons who criminally facilitate tax evasion.64 A 'relevant body' is a company or partnership, irrespective of jurisdiction of incorporation or formation.65 A 'person associated' with the relevant body is an employee, an agent or any other person performing services for or on behalf of that relevant body.66 To the extent the offence took place outside the jurisdiction, UK prosecutors need to prove, to the criminal standard, that both the taxpayer and the associated person committed an offence. Like the corporate offence under the BA 2010, the CFA 2017 provides companies with a defence where they can show that they had in place 'reasonable procedures' to prevent the offending.

With the increase in online criminal activity, the Crime (Overseas Production Orders) Act 2019 (the COPO Act) will provide a useful basis for investigators and prosecutors that require quick access to electronic data (such as emails) situated outside the UK. However, the extraterritorial power will only be effective if there is a cooperation agreement in place between the UK and the jurisdiction where the holder of the data is located. At the time of writing, there is only one cooperation agreement in place, between the UK, Northern Ireland and the US.67 Reliance on the COPO Act is likely to increase in light of the recent case of R (on the application of KBR, Inc) v. Director of the Serious Fraud Office,68 in which the Supreme Court held that the SFO did not possess the power to compel a US company to produce documents it held outside the UK. The Supreme Court ruled that Section 2(3) of the Criminal Justice Act 1987 does not have extraterritorial effect, overturning the earlier judgment in which the High Court allowed the application of Section 2(3) to a foreign company if a sufficient connection existed between the company and the UK. This ruling's practical impact is that the SFO must continue to rely upon other routes to obtain documents a foreign company holds overseas, such as by using overseas production orders under the COPO Act and the mutual legal assistance regimes.

ii International cooperation

The UK authorities work with their counterpart authorities in other jurisdictions in a variety of ways. Some 'formal' methods of cooperation exist,69 but it is not uncommon for international enforcement authorities to share information with their foreign counterparts through more informal channels of communication, relying on established relationships.70

Following Brexit, there has been a degree of uncertainty regarding the future framework for international cooperation between the UK and Europe. After the UK's transition period ended, the European Union, the European Atomic Energy Community, and the United Kingdom of Great Britain and Northern Ireland entered into the Trade and Cooperation Agreement (the Trade Agreement). Title VII of the Trade Agreement outlines provisions that facilitate international cooperation between the UK and EU Member States regarding law enforcement. It introduces the concept of surrender, which deals with the issue of extradition and aims to replace the European Arrest Warrant system as a fast-tracked extradition system between EU Member States and the UK with limited grounds for refusal and time-limited processes. The new arrest warrant, which appears in Annex Law-5 of the Trade Agreement, mirrors the European Arrest Warrant's content and form.

iii Local law considerationsEconomic Crime (Transparency and Enforcement) Act 2022

In response to Russia's invasion of Ukraine, the UK government fast-tracked new financial crime legislation aimed at curbing the flow of ill-gotten gains into the country. The Economic Crime (Transparency and Enforcement) Act 2022 (ECA), passed on 15 March 2022, provides for a 'Register of Overseas Entities' (Register), which will contain details about the beneficial owners of overseas entities that hold certain UK property. All overseas entities that purchase a freehold estate or a leasehold estate granted for more than 21 years in the UK will have to submit such details for inclusion in the Register and this requirement also applies retrospectively to purchases made on or after 1 January 1999 in England and Wales or 8 December 2014 in Scotland. An overseas entity that fails to submit the required details for inclusion in the Register will face restrictions on selling, mortgaging or granting leases of more than seven years of the UK property it holds. Breach of these restrictions is a criminal offence carrying a maximum penalty of five years' imprisonment for the entity's directors.

The ECA also removed perceived obstacles to the use of unexplained wealth orders (UWOs) – of which only nine have been obtained in relation to four cases as of February 2022.71 Chief among the changes are:

  1. an alternative test for obtaining a UWO, namely whether the court is 'satisfied that specified assets have been obtained through unlawful conduct';
  2. a ban on costs orders against enforcement agencies in UWO cases, unless they acted unreasonably in making an application or acted dishonestly or improperly during the proceedings; and
  3. the option for enforcement agencies to apply for more time to review information provided by the respondent.

The above measures will come into effect on a day to be appointed by the Secretary of State.


Recent case law has emphasised that media outlets in the UK must exercise caution when reporting on criminal investigations prior to the point of charge. In February 2022, the Supreme Court held that publishing the name and details of an individual suspected of a criminal offence who was not yet charged was an unlawful interference with their right to private and family life under Article 8 of the European Convention on Human Rights.72 The court considered that there was a reasonable expectation of privacy in relation to such information given the reputational damage it ordinarily causes. This expectation is not negated by role or status, although the court noted that the limits of acceptable criticism are wider for high-profile individuals. The public interest may justify disclosing details of an investigation but it is advisable for media outlets to conduct, and keep a record of, a thorough public interest assessment. In some cases, however, the public interest favours non-disclosure, as where it may prejudice the relevant investigation.

Data privacy

After the UK's Brexit transition period ended, the EU's General Data Protection Regulation (the EU GDPR) ceased to directly apply to the UK.73 The EU GDPR had extraterritorial application to organisations that monitor behaviour of individuals that takes place within the EU, or to organisations offering services or goods to individuals in the EU. The UK government has issued its own version of the GDPR, namely the United Kingdom General Data Protection Regulation (the UK GDPR), which took effect on 31 January 2020, and does not contain any significant differences from the EU GDPR, as evidenced by the Keeling Schedule, last updated on 18 December 2020.74

The UK GDPR imposes strict data protection obligations and prohibits the transfer of personal data from the UK to a location outside the European Economic Area (EEA), unless the recipient, jurisdiction or territory is able to ensure a UK-equivalent level of protection. Currently, the European Commission has determined that only a few countries provide adequate levels of protection, while many other countries, such as the US, fall short of the standard.75 This means organisations operating in the UK may be limited in their ability to transfer personal data into various non-EEA territories. By virtue of the Trade Agreement, transfers of personal data from the EEA to the UK could continue unrestricted until 1 May 2021, with an automatic extension to 1 July 2021 unless either side objected. On 28 June 2021, the European Commission adopted data adequacy decisions for the UK which allow personal data to flow freely from the EU.76 The adequacy decisions include a sunset clause that limits their duration to four years, after which they will automatically expire and may only be renewed if the UK continues to ensure an adequate level of data protection.

Legal professional privilege

Legal professional privilege has been a heavily litigated issue in recent years. England and Wales recognises two forms of legal professional privilege, in respect of both in-house and external counsel:

  1. 'litigation privilege', which attaches to communications passing between a lawyer and a client, and also between a lawyer or client and a third party (such as a forensic accountant), for the sole or dominant purpose of preparing for adversarial litigation.77 The litigation can either be in progress or in contemplation, and includes civil and criminal litigation;78 and
  2. 'legal advice privilege', which attaches to confidential communications passing between lawyer and a client for the purposes of giving or receiving legal advice. It will not usually apply to communications between a company and its own employees in the context of an investigation.

The meaning of 'client' was discussed in detail in Three Rivers No. 5,79 yet the ratio of the case has been inconsistently understood and, although it has been recently criticised,80 Three Rivers No. 5 remains the leading authority in this respect. The concept of 'client' in a corporate context was considered again in Re The RBS Rights Issue Litigation, in which Hildyard J held that interview notes produced by lawyers during the course of an internal investigation were not protected by legal advice privilege.81 Hildyard J understood the Three Rivers No. 5 decision as establishing the principle that the 'client', for the purposes of a lawyer–client communication protected as legal advice privilege, must be someone who is authorised to seek and receive legal advice.82

Year in review

In January 2022, Transparency International released its 27th annual Corruption Perception Index,83 in which the UK gained one point since the previous index but remained out of the top 10 for public sector transparency for the fourth year in a row. Concerns persist that the UK may be a safe haven for money laundering; an estimated £6.7 billion in suspected illicit funds has been poured into prime real estate since 2016, including £1.5 billion from individuals linked to the Kremlin,84 earning the capital its 'Londongrad' moniker. The Register is a significant step forward in this regard, not least because it has been the victim of years of delay. The plan was first conceived in 2016 and was included in draft legislation drawn up in 2018 before being shelved. Its hasty revival by the UK government came after reports it had been put on hold again until the 2023–24 parliamentary session.85

The government has hinted at further reforms to be introduced via a second economic crime act, but as yet nothing has been announced. Home Secretary Priti Patel has indicated that the second act will be a 'very substantial piece of legislation' including measures that were dropped from the ECA in the interest of time.86 These will include changing the law on limited partnerships and introducing new powers for the government to seize cryptocurrency assets.87 The government is also proposing to expand the role of Companies House to transform it into a 'gatekeeper over company creation', with powers to query information submitted for filing and share suspicions with public authorities, law enforcement bodies such as the NCA and SFO, and insolvency practitioners.88

The SFO, among others, is keen for there to be more 'failure to prevent' corporate criminal offences, similar to the UK's offences of failure to prevent bribery and failure to prevent the facilitation of tax evasion (as discussed in Sections III.i and IV.i). In November 2020, the government announced that the Law Commission would investigate the UK's corporate criminal liability legislation, following the MOJ's 2017 call for evidence. On 10 June 2022, the Law Commission published its Corporate Criminal Liability Options Paper89 analysing the current laws and setting out options for reform. The Law Commission did not recommend the introduction of a broad 'failure to prevent economic crime' offence, instead proposing more specific failure to prevent offences covering fraud by an associated person (e.g., an employee or agent) to benefit the company, human rights abuses, ill treatment or neglect and computer misuse.90

The Options Paper also proposes modifying the 'identification principle'.91 The Law Commission's proposed approach would see criminal liability attributed to a company where its senior management, collectively or individually, engaged in, consented to, or connived in the offence. 'Senior management' would include any person who plays a significant role in either organising, or making decisions about organising, the whole or a substantial part of the company's activities. More radical reform options, such as allowing companies to be convicted on the basis of their 'corporate culture', were rejected. The UK government will consider the Law Commission's proposals and may decide to incorporate them into a future economic crime act.

Covid-19's impact on the SFO brought a slowdown in the pace of investigations.92 The pandemic hindered access to physical evidence, causing procedural delays. Global Investigations Review reported that the SFO severely reduced suspect interviews and search execution in the pandemic's wake.93 Lisa Osofsky, the director of the SFO, stated that the pandemic has created new opportunities for criminals and that 'law enforcement are working across government to assess and respond to the new threat'.94 While the SFO itself is yet to announce any investigations into covid-19-related crimes, the government has confirmed that the SFO is investigating suspected fraudulent applications for covid-19 loans.95

Despite the disruption to some of its procedures, the SFO maintained its work on DPAs, concluding three during 2021, with Amec Foster Wheeler Energy Limited96 and two as yet unnamed companies.97 The SFO also succeeded in its prosecution of Petrofac Limited, which pleaded guilty to seven counts of failure to prevent bribery contrary to Section 7 of the BA 2010 pursuant to a plea agreement.

The SFO's internal processes and controls continue to be under the spotlight. It emerged in July 2020 that Lisa Osofsky had exchanged emails and texts with a retired US Drug Enforcement Administration agent while he was acting for the founders of Monaco-based consultancy Unaoil in connection with a bribery, corruption and money laundering investigation. The agency's refusal to disclose details of these communications during its investigation into Unaoil has resulted in convictions against two company executives being quashed, while a third is being appealed. The Attorney General has appointed retired High Court judge David Calvert-Smith to lead an independent review into the SFO's handling of the Unaoil case, which at the time of writing is expected to conclude in June 2022. Separately, in May 2022, a High Court judgment in long-running civil proceedings held that the SFO had induced law firm partner Neil Gerrard to breach his contractual and fiduciary duties to his client, Eurasian Natural Resources Corporation Limited (ENRC), during a corruption investigation. Mr Gerrard had shared confidential information with the SFO without authorisation from ENRC and although SFO officers never initiated contact with him, they were found to have been a 'willing audience', never turning down requests for meetings or cautioning against referring to unauthorised matters.98 A further claim against the SFO, in the same proceedings, for misfeasance in public office was unsuccessful.

In its first criminal prosecution for offences under the Money Laundering Regulations 2007 (MLR), the FCA achieved convictions against NatWest for failing to adhere to the requirements of Regulations 8(1), 8(3) and 14(1) of the MLR by not adequately exercising controls over £264 million in cash allegedly paid into customers' accounts. NatWest pleaded guilty and on 13 December 2021 was fined over £264.8 million.99 This 'very considerable fine', reduced by one-third on account of NatWest's early guilty plea, was described at sentencing as commensurate with 'the size and financial position of the offending organisation and the seriousness of the offence'.100

Conclusions and outlook

The need for robust corporate investigations has continued as companies face an increased focus on their culture and systems from a wide range of sources, including press and non-governmental agency inquiries, as well as the growing effect of social media campaigning. In addition to familiarising themselves with the provisions of the ECA, companies should be alert to the prospect of further financial crime legislation as the UK government continues to address calls to crack down on money laundering and update the approach to corporate criminal liability. Such legislation will be shaped by the Law Commission's options paper on corporate criminal liability, the UK's post-Brexit approach to sanctions and money laundering, and the major shift in geopolitical agenda caused by Russia's invasion of Ukraine.

It should be borne in mind that the impact of new legislation alone will always be limited. That legislation requires enforcement and if agency budgets remain meagre and those organisations continue to be embroiled in their own internal investigations, the ECA and any successive legislation may remain an underutilised force.