Tom Stocker, Neil McInnes, Laura Gillespie, Stacy Keen, Olga Tocewicz, Alistair Wood and Rebecca Devaney, Pinsent Masons LLP
This is an extract from the fourth edition of GIR's The Practitioner’s Guide to Global Investigations. The whole publication is available here.
General context, key principles and hot topics
1Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.
The investigation by the UK Serious Fraud Office (SFO) into Unaoil (which involves allegations of bribery, corruption and money laundering) continues to draw interest as much for the related investigations it has spawned as for the investigation into its affairs; during summer 2019, another individual (Basil Al Jarah, Unaoil’s former partner in Iraq) pleaded guilty to five offences of conspiracy to give corrupt payments.
The SFO’s related investigation into the officers, employees and agents of Petrofac plc and its subsidiaries for suspected bribery, corruption and money laundering is also of interest. In February 2019, Petrofac International Limited’s former global head of sales pleaded guilty to bribery. Four other senior executives were named in the charging documents but have not been charged at the time of writing. The naming of the executives without charge by the SFO has been criticised as materially prejudicial to their rights and reputation. No charges have so far been levied against a Petrofac company.
The naming of executives by the SFO also caused controversy in two deferred prosecution agreements (DPAs) concluded during 2018–2019, leading to calls for anonymity until charges are brought.
Another related investigation, into US engineering company KBR’s UK subsidiary, has also raised interesting points this year, particularly on the question of the extraterritorial reach of the SFO’s investigatory powers.
2Outline the legal framework for corporate liability in your country.
A corporation can be held criminally liable under the laws applicable to the UK (the laws of England and Wales, Northern Ireland and Scotland, referred to collectively as UK laws) and there are several ways this can arise, depending on the factual circumstances and the types of underlying conduct.
Typically, corporate criminal offences of strict liability and offences involving a company’s vicarious liability for its employees’ actions arise for a range of regulatory offences under UK laws. These features of corporate criminal liability are not considered in detail in this chapter, as they tend to be less common in relation to financial crime matters, with the exception of offences involving company legislation. Generally, however, UK principles of vicarious liability of employers for the criminal conduct of employees differ markedly from the US doctrine of respondeat superior.
For some offences, including fraud and corruption, the law developed the ‘identification doctrine’ as a means of holding a corporate entity to account for its misdemeanours. In essence, this attributes the knowledge of a corporate’s directing mind – the individual or individuals who control the actions of the corporate (for example, its directors, senior managers, etc.) – to the corporate itself. Whereas the idea behind the doctrine was to attribute knowledge and action to an abstract entity, in practice this has proved difficult in all but the simplest cases involving small companies with unsophisticated structures. The difficulties are particularly apparent in larger companies or multinationals with more diffuse decision-making among management teams and where complex corporate structures may mean there are numerous reporting lines that would need to be assessed. An area that frequently needs careful analysis is where management teams or business units have been given delegated authority to act on the corporate’s behalf.
To meet some of the criticisms of the identification doctrine, and the consequent difficulties in holding corporates liable for misconduct, in recent years the UK has introduced two types of corporate offences, essentially holding the corporate liable for failing to prevent certain types of wrongdoing, subject in each case to the corporate being able to raise a compliance-related defence (i.e., that it had in place either adequate or reasonable procedures designed to prevent the defined type of wrongdoing occurring). One example is the Bribery Act 2010’s corporate offence of failure to prevent bribery, in which a company (incorporated or carrying on part of its business in the UK) is liable for bribes paid by a third party to win business for or on behalf of the company anywhere in the world, unless it can demonstrate it had adequate procedures intended to prevent bribery. Third parties are broadly defined in the Bribery Act 2010 to include anyone who performs services for or on behalf of the company in whatever capacity (e.g., an employee, agent or intermediary). The Criminal Finances Act 2017 similarly introduced a new offence of failure to prevent the facilitation of tax evasion with an affirmative defence of reasonable prevention procedures.
3Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?
The UK has three legal systems and jurisdictions for criminal law purposes, each of which applies geographically: England and Wales, Northern Ireland and Scotland. The criminal laws of England and Wales and of Northern Ireland are similar, whereas Scots law and procedure is markedly different.
In the UK as a whole, allegations of corporate offending involve the same criminal process, enforcement agencies and court system as investigations and prosecutions of individuals. As a corporate is a legal rather than a natural person, certain steps vary because of this status (e.g., how it may need to respond to enquiries from a regulator, how a corporate will appear in court (via counsel) and how it is sentenced if guilty of an offence). Some key law enforcement authorities involved in the regulation, investigation or prosecution of corporates in the UK include (not exhaustively) the following:
- The SFO – set up with special powers under the Criminal Justice Act 1987 for the investigation and prosecution of large and complex corporate fraud and corruption. Unusually for UK law enforcement agencies, it combines investigative and prosecution functions.
- National Crime Agency (NCA) and local police forces – tend to lead investigations involving smaller-scale or less complex fraud or corporate crime, which is then prosecuted by the Crown Prosecution Service (CPS).
- The Police Service of Northern Ireland – investigates crimes within the jurisdiction of Northern Ireland. Crimes are then prosecuted by the Public Prosecution Service of Northern Ireland (PPSNI).
- The Police Service of Scotland (Police Scotland) – investigates crimes within the jurisdiction of Scotland. Crimes are then prosecuted by the Crown Office and Procurator Fiscal Service (COPFS).
- Her Majesty’s Revenue and Customs – investigates tax-related offending, which is then prosecuted by the CPS.
- Financial Conduct Authority (FCA) – the regulator of the financial services industry. As a regulator, the FCA can impose civil sanctions for misconduct, but also may prosecute regulated firms or individuals for specific market-related offences, such as insider trading and market manipulation. Frequently, cases involving financial services companies fall within the scope of both the FCA and the SFO’s investigation powers. In those cases, the SFO will usually take precedence in relation to the criminal proceedings as it may prosecute a wider range of offences.
- Competition and Markets Authority (CMA) – investigates anticompetitive behaviour; it may impose civil sanctions but can also prosecute cartel offences.
- Department for Business, Innovation and Skills – this government department investigates and prosecutes activities concerning the affairs of companies, including fraudulent trading and breaches of bankruptcy or disqualification orders.
- Information Commissioner’s Office (ICO) – investigates and prosecutes or imposes civil sanctions for data protection offences.
- Health and Safety Executive (HSE) and Health and Safety Executive for Northern Ireland (HSENI) – the HSE investigates and prosecutes or imposes civil sanctions for health and safety offences and works with the police on corporate manslaughter investigations. In Northern Ireland, the position is similar, except that it is the PPSNI (not the HSENI) that brings prosecutions. Prosecutions in Scotland are brought by the COPFS.
- Office of Gas and Electricity Markets – investigates and prosecutes certain criminal offences under legislation focused on the energy sector.
- Environment Agency, Northern Ireland Environment Agency and Scottish Environmental Protection Agency – investigate and prosecute environmental crime (in Scotland, the prosecution is brought by the COPFS and in Northern Ireland by the PPSNI).
- UK Office of Financial Sanctions Implementation (OFSI) – although not a prosecutor, OFSI has significant additional powers to impose financial penalties for breaches of financial sanctions measures.
In Scotland, all criminal investigations are undertaken by Police Scotland and the COPFS. Police Scotland has a dedicated economic crime unit, but investigations into serious and complex frauds are overseen by COPFS’ economic crime unit. The SFO can also investigate crimes that have occurred in Scotland if they affect other parts of the UK, but it cannot prosecute cases in or from Scotland.
There can be concurrent jurisdiction between the SFO and the COPFS, particularly with respect to overseas bribery cases. In 2014, the SFO and the COPFS entered into a memorandum of understanding, which provides a framework for co-operation in cases of bribery or corruption that both organisations have (or may have) jurisdiction to prosecute under the Bribery Act 2010 and for determining ‘primacy’ to investigate and prosecute corporate bribery offences.
In late 2009, the SFO and the CPS published a joint guidance note for corporate prosecutions setting out general principles, and evidential and public interest factors that could be taken into account when making a prosecutorial decision in regard to a corporate. One of the public interest factors that these agencies are entitled to take into account to decide against a prosecution of a corporate is ‘the existence of a genuinely proactive and effective corporate compliance programme’.
In July 2011, the COPFS published its civil settlement guidance, which encourages Scottish and other companies that have committed bribery offences within the jurisdiction of Scotland to self-report to the COPFS in return for the opportunity to resolve the case through a civil settlement mechanism. The initiative must be reviewed and approved each year by the Lord Advocate and has recently been extended until June 2020.
In February 2014, following the introduction of DPAs in England and Wales (but not Scotland or Northern Ireland) under Schedule 17 of the Crime and Courts Act 2013, the SFO and the CPS published a Deferred Prosecution Agreements Code of Practice setting out public interest factors for and against offering a corporate a non-prosecutorial resolution by way of a DPA.
In August 2019, the SFO issued its Corporate Co-operation Guidance as part of its Operational Handbook, which it will use in making charging decisions in relation to allegations of bribery and corruption.
4What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?
Law enforcement authorities must have reasonable grounds to suspect that a criminal offence has been committed to exercise their investigative powers.
The SFO may investigate any suspected offence that appears to the director of the SFO on reasonable grounds to involve serious or complex fraud. The SFO’s powers to compel the production of evidence under section 2 of the Criminal Justice Act 1987 can be exercised in any case in which it appears to the director that there is good reason to do so for the purpose of investigating the affairs, or any aspect of the affairs, of any person.
Additionally, and only in relation to possible bribery and corruption with an international dimension, the SFO may apply the even lower test under section 2A of the Criminal Justice Act 1987 of whether there is an ‘appearance’ that bribery and corruption may have taken place to initiate a pre-investigation (and use its powers under section 2 to determine whether a formal investigation should be undertaken). Therefore, the section 2A powers can only be exercised for the purpose of enabling the SFO to decide whether to open a formal investigation.
5How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?
Depending on the authority and type of notice, it may be possible to informally agree a narrower scope of information to be produced without having to formally challenge the lawfulness or scope. Otherwise the company may challenge the lawfulness or scope of the notice or production order by way of application to court. Usually this challenge will be by way of judicial review (in Scotland, a bill of suspension), although under certain statutes it may be possible for the company to seek a hearing before the court or tribunal that had originally issued the notice or court order (where this is provided for under the applicable statute).
6Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?
There is the possibility of immunity or leniency for individuals who assist or co-operate in the investigation or prosecution of criminal offences.
Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) allows certain prosecutors, including the SFO, to grant any person immunity from prosecution in England and Wales or Northern Ireland by issuing a written immunity notice. The immunity notice, which will specify the criminal offences for which no proceedings can be brought, ceases to have effect if the person fails to comply with the conditions contained in the notice. The use of section 71 is relatively rare.
Section 73 of SOCPA provides a means to incentivise assistance from defendants. A defendant who, pursuant to a written agreement with a relevant prosecutor, has provided or has offered to provide assistance to an investigator or prosecutor is eligible to receive a reduction in sentence, provided a guilty plea has been tendered. Judges are required to state in open court the sentence would have been imposed but for the assistance given or offered, unless it would not be in the public interest to disclose that the sentence has been discounted.
Broadly equivalent principles relating to immunity and leniency apply in Scotland under Part 3 of the Police, Public Order and Criminal Justice (Scotland) Act 2006.
7What are the top priorities for your country’s law enforcement authorities?
International corruption and a coordinated global approach to its defeat has been a top priority for the UK government and its law enforcement authorities for the past few years, and this has been reiterated in the government’s Economic Crime Plan 2019–2022, published in July 2019, which makes significant commitments to meet the government’s objective of tackling economic, white-collar and corporate crime.
A focus on tax evasion led to the introduction of a new corporate criminal offence of failing to prevent the facilitation of tax evasion, which came into force in September 2017, and there have been increasing calls to extend the ‘failure to prevent’ offences to other economic crime. The government is currently analysing the responses to an earlier call for evidence on this; its response is awaited. In the meantime, some high-profile committees and officers, including the UK’s solicitor general, have given their support to the introduction of such an offence.
A further focus is increased transparency of the beneficial ownership of foreign companies investing in UK property or bidding for government contracts. This has prompted the introduction of a register of beneficial ownership of foreign investors, which is intended as a measure to reduce both tax evasion and the likelihood of UK properties being used to launder foreign criminal funds, to be operational by 2021.
Pursuant to the Criminal Finances Act 2017, unexplained wealth orders (UWOs) came into force on 31 January 2018. The legislation allows the High Court to make a UWO in respect of any property (valued at more than £50,000) where the Court is satisfied that there is reasonable cause to believe that the property is held by a politically exposed person who has been involved in serious crime or that a person connected with that individual is, or has been, involved in serious crime.
8Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.
Cybersecurity is regulated within the UK through a number of statutory regimes. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation (GDPR)), which came into force on 25 May 2018, requires that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’. Accordingly, organisations that control personal data must have sufficient cybersecurity measures in place to protect against attack. There are mandatory reporting obligations in place where certain attacks happen.
Enforcement of the GDPR falls to the relevant supervisory authority within each European country; in the UK, this is the ICO.
Fines have been substantially increased under the GDPR, to up to 4 per cent of annual global turnover or €20 million (whichever is higher), and the ICO has indicated that it intends to use the full force of its powers for the most serious breaches.
Cybersecurity has far-reaching consequences, however, and a range of other regulators also require notification following a cybersecurity incident; these include the FCA, the Charity Commission and other professional regulatory bodies.
Cybersecurity is woven into a range of other statutory regimes. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) regulate providers of public electronic communication services. Service providers are similarly required to take appropriate technical and organisational measures to safeguard the security of their service. The PECR also have mandatory reporting obligations but impose a shorter time frame than the GDPR; within 24 hours of becoming aware of the essential facts. Under the GDPR, mandatory personal data breach reports must be made within 72 hours of becoming aware of the breach. Powers open to the ICO in enforcing the PECR include criminal prosecution and a fine of up to £500,000.
Additionally, the Network and Information Systems Regulations 2018 (NIS), which came into force on 10 May 2018, govern the threat posed to essential network systems and seek to improve the functioning of the digital economy. NIS applies to operators of essential services and relevant digital service providers. The requirements placed on systems operators again include having appropriate and proportionate technical and organisational measures to manage risks to the security of the network. Additionally, appropriate and proportionate steps should be taken to prevent and minimise the effects of incidents.
There is a range of ‘competent authorities’ that regulate NIS, depending on the specific sector. A breach of NIS can result in a fine of up to £17 million and, like the GDPR, there is a time limit of 72 hours (from becoming aware) for reporting any incident which has a significant effect on the continuity of the essential service.
9Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?
The main regulations relating to cybercrime are the Computer Misuse Act 1990 (the CMA 1990), the Data Protection Act 2018 (the DPA 2018) and the Cyber Attacks (Asset Freezing) Regulations 2019 (the 2019 Regulations).
The CMA 1990 has been amended to take account of the developing nature of cybercrime. Offences can be tried summarily or on indictment with a range of maximum sentences, depending on the offence committed.
Although prosecutions have been made over many years pursuant to the CMA 1990, the ICO secured its first conviction in November 2018. The prosecution was followed by an application under the Proceeds of Crime Act and a confiscation order.
The domestic legislation that sits alongside the GDPR is the DPA 2018, section 170 of which makes it an offence to knowingly or recklessly obtain, disclose, procure or retain personal data without the consent of a data controller and, on indictment, the maximum sentence is an unlimited fine. The offence slightly augments that under the previous legislation (the Data Protection Act 1998). Prosecutions being brought by the ICO currently tend to be pursuant to the 1998 Act in view of the time it takes to investigate and prosecute an offence.
Proceeds of crime legislation can be used as part of the enforcement toolkit; in June 2019, for example, the ICO secured the conviction of a former managing director of a claims management company who had unlawfully obtained and sold personal data. He was sentenced to a fine of £1,050 but the benefit derived from the illegal activity was valued at £1,434,679.60. In view of the defendant’s lack of assets, a nominal £1 order was made.
Aside from unauthorised access and use of information, cybercriminals also deploy ransomware to secure a ransom demand. The aim of the 2019 Regulations, which came into force on 11 June 2019, is to address this. Measures under the Regulations include sanctions, restrictive measures and offences connected with cyberattacks threatening the European Union or its Member States.
The 2019 Regulations apply to UK nationals or any body incorporated in the UK. They have extraterritorial effect, and their measures are also applicable to conduct wholly or partly outside the UK that is perpetrated by a UK national, or a body incorporated or constituted under UK law.
Rather like sanctions regimes, the 2019 Regulations restrict interactions with ‘designated persons’. Dealing with or making funds available to such persons is a criminal offence. The maximum sentence under the 2019 Regulations is an unlimited fine, seven years’ imprisonment, or both.
Cross-border issues and foreign authorities
10Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.
The jurisdictional basis of criminal law in the UK is generally territorial, as an offence will only be triable in the jurisdiction in which it takes place unless there is a specific provision to the contrary, for instance where specific statutes enable the courts of the UK to exercise extraterritorial jurisdiction.
Some examples of exceptions are worthy of note. First, under general common law principles, if a substantial part of an offence occurs in the UK (even if other parts occur outside the UK), the UK courts can have jurisdiction.
Second, under Part I of the Criminal Justice Act 1993, certain fraud, theft, forgery, false accounting, blackmail and cheat offences are triable in England and Wales if a relevant event, or part of the wrongful act within an offence, has occurred in England or Wales. The extension of jurisdiction under this statute also applies to attempts and conspiracies to commit these defined offences.
Third, the Bribery Act 2010 (and prior bribery and corruption legislation) has important provisions to allow law enforcement to investigate and prosecute cases of overseas corruption. A feature of the extraterritorial effect of the Bribery Act is that it applies to substantive corruption offences in which the acts and omissions are entirely outside the UK, if these involve UK nationals, others ordinarily resident in the UK, or UK companies, among other defined categories of a party with a close connection to the UK. The failure to prevent an offence also applies worldwide to UK-headquartered and non-UK headquartered corporates that carry on part of their business in the UK.
In September 2018, the High Court held that section 2(3) of the Criminal Justice Act 1987, which gives the SFO power to require a person to produce specified documents in connection with an SFO investigation, has extraterritorial effect, to compel a foreign company to produce documents held outside the jurisdiction if there is a ‘sufficient connection’ between the company and the jurisdiction. In April 2019, the UK Supreme Court granted leave to appeal this decision.
In February 2019, the Crime (Overseas Production Orders) Act 2019 received royal assent, allowing UK law enforcement agencies to apply for a court order with extraterritorial effect (an overseas production order), to obtain data stored electronically, directly from communication service providers based outside the UK.
11Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.
The challenges of dealing with cross-border investigations arise from inconsistencies in the approaches of the various law enforcement agencies and the application of different laws in the relevant jurisdictions.
The principal issues are:
- the differences in the scope and application of legal professional privilege between the jurisdictions, and ensuring that privilege is adequately protected when dealing with document or information requests from the various authorities or when conducting the internal investigation;
- the differences in data protection laws in each jurisdiction, and ensuring that breaches do not occur in the gathering and transferring of data between jurisdictions for the purposes of the internal investigation or responding to requests from a law enforcement authority;
- whether any of the jurisdictions impose a positive statutory obligation to make a formal report once the corporation becomes aware, or begins to suspect, that a crime has been committed. Northern Ireland and Scotland have additional statutes that impose reporting duties that apply in addition to laws that apply UK-wide.
- identifying which authorities may claim that the offending conduct occurred in their jurisdiction as a result of the fact that, with cloud-based communications (email, WhatsApp, i-Message, etc.), offending behaviour can occur in more than one location;
- whether evidence-sharing or mutual assistance treaties exist between the relevant jurisdictions; and
- whether there are sensitivities between the authorities in the various jurisdictions, for example, whether one authority is taking precedence, and if so whether the other authorities accept that position.
12Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?
The existence of the principle of double jeopardy means that a corporation cannot be prosecuted a second time in the UK for the same or similar offences on the same facts following a legitimate acquittal or conviction, or other appropriate disposal, such as a DPA, by a UK court. European law also extends double jeopardy principles in cross-border cases within the European Union.
However, the protections for corporates worldwide in relation to double jeopardy principles are more varied and likely to be an area of discussion with law enforcement authorities when a corporate is involved in cross-border investigations in multiple jurisdictions. If the predicate offending has been disposed of in one jurisdiction, double jeopardy will not preclude UK authorities from prosecuting ancillary or incidental offences, such as record-keeping or money laundering offences that occurred in the UK. Nevertheless, there is scope to engage with international regulators with close ties to UK enforcement agencies or mutual legal assistance arrangements with the UK (or both) to ensure that, in practice, one agency takes primary responsibility for the investigation and enforcement, to avoid any undue prejudice when a case spans multiple jurisdictions. Notwithstanding this, frequently corporates will be expected to respond to enquiries simultaneously from agencies inside and outside the UK, and there are no general, formal rights on the part of a company to seek to stay a UK investigation pending the outcome of a foreign investigation or set of criminal proceedings that may have commenced prior to the UK law enforcement agencies becoming involved.
There is no UK policy analogous to the ‘anti-piling on’ policy that exists in the United States. However, in situations of concurrent jurisdiction, there are memorandums of understanding between the various law enforcement and regulatory authorities in the UK. These provide a framework for co-operation between organisations that have (or may have) jurisdiction to prosecute an offence and for determining ‘primacy’ to investigate and prosecute offences.
13Are ‘global’ settlements common in your country? What are the practical considerations?
Global settlements have been known, such as the DPA agreed between the SFO and Standard Bank PLC in November 2015 that was coordinated with the settlement between Standard Bank and the US Securities and Exchange Commission. The SFO will also reference the assistance it receives from foreign authorities at the conclusion of any successful prosecution.
A coordinated approach between the United States and the United Kingdom was also achieved in relation to Innospec Inc and BAE Systems in 2010, although in both cases the court was critical of the coordination.
14What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?
Law enforcement authorities in the UK generally try to co-operate with counterparties in foreign jurisdictions. Usually at the outset of an investigation, the authorities will agree whether one jurisdiction should take precedence in the investigation and prosecution of the matter (e.g., if the majority of the misconduct took place in that jurisdiction or in the jurisdiction of incorporation) or agree what aspect of a larger cross-border enquiry involving a corporate each will lead on if the case involves a number of components.
Even if it is agreed that the predicate offending in a matter should be prosecuted in one particular country, incidental offences, such as books and records offences, can still be prosecuted in the other jurisdictions.
Ultimately, UK authorities are responsible for the conduct of their own investigations and prosecutions. The extent to which a decision by a foreign authority would influence a UK investigation will depend on the particular facts of the matter, the relationship between the UK and foreign authorities, and the relationship between the UK and the other country on a state level, including any history of co-operation in timely mutual legal assistance.
Economic sanctions enforcement
15Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.
Currently domestic sanctions are limited to the counterterrorism regime with all other sanctions stemming from the European Union (including those implementing the sanctions imposed by the United Nations). The regulations adopted by the Council of the European Union imposing sanctions, as a tool of the EU’s Common Foreign and Security Policy, are currently directly applicable in the UK.
The main types of sanctions the UK imposes are:
- trade sanctions, including restrictions relating to military and dual-use items, certain industrial sectors and the provision of certain services (these sanctions are in addition to the UK’s general export control laws);
- financial sanctions, including asset freezes; and
- immigration sanctions, known as travel bans.
There may be specific exceptions under which it is possible to engage in an activity that would otherwise be prohibited. It may also be possible to get a licence or authorisation permitting activities that would otherwise be prohibited.
A principle of most sanctions regimes is the prohibition on knowingly and intentionally participating in activities that have the object or effect of circumventing any sanctions laws.
The Sanctions and Anti-Money Laundering Act 2018 will govern the sanctions regime following the UK’s exit from the European Union. The UK government has been taking steps to ensure the uninterrupted application of EU sanctions post-exit, including in the case of a no-deal exit.
16What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?
Although the EU regulations imposing sanctions are directly effective, UK legislation is required to introduce the penalty regimes that apply for a contravention of sanctions.
The Department for International Trade implements and enforces trade sanctions and other trade restrictions. OFSI, which is part of HM Treasury, implements and enforces financial sanctions. The Home Office implements and enforces immigration sanctions.
The potential consequences for breaching sanctions laws are severe, including unlimited criminal fines, periods of imprisonment for individuals, the disgorgement of any profits and reputational damage.
The 2017 Policing and Crime Act introduced civil penalties for breaches of financial sanctions, available in cases where it is not in the public interest to prosecute.
To date, OFSI has imposed two civil penalties: in February 2019 against Raphaels Bank and in May 2019 against Travelex (UK) Limited.
17Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?
The UK has historically had a leading role in developing the EU’s sanctions policy and is embedded in a structure for co-operation on sanctions with other EU Member States.
OFSI has an international engagement branch that is leading an ‘initiative to help promote robust financial sanctions implementation on the world stage, not only through bilateral and multilateral meetings/events but also through technical assistance to other governments’.
18Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.
Council Regulation (EC) No. 2271/96 protecting against the effects of the extraterritorial application of legislation adopted by a third country and actions based thereon or resulting therefrom (the Blocking Regulation) is currently directly applicable in the UK.
The Blocking Regulation currently applies to certain sanctions imposed by the United States in respect of Cuba and Iran (referred to as the listed extraterritorial sanctions). The Blocking Regulation was updated in August 2018 following the United States’ withdrawal from the Joint Comprehensive Plan of Action known as the ‘Iran deal’.
The Blocking Regulation has four main components:
- EU persons (currently including UK nationals and UK-incorporated entities) and those in the territory of the European Union are prohibited, without authorisation from the European Commission, from complying, either directly or through a subsidiary or other third party, actively or by deliberate omission, directly or indirectly, with any requirement or prohibition with the listed extraterritorial sanctions.
- EU persons whose economic or financial interests are directly affected by the listed extraterritorial sanctions must inform the European Commission of this within 30 days. In the case of EU businesses, the reporting obligation rests with directors, managers and others with managerial responsibility.
- Judgments or decisions of non-EU courts, tribunals or administrative authorities giving effect to the listed extraterritorial sanctions are not enforceable in the European Union. This is intended to shield EU persons, for example, from the effects of any decision requiring seizure or enforcement of any penalty in the European Union based on the listed extraterritorial sanctions.
- EU persons ‘engaging in international trade and/or the movement of capital and related commercial activities between the Community and third countries’ are entitled to recover damages caused to them by the application of the listed extraterritorial sanctions through the courts in Member States. Recovery can take the form of seizure and sale of the assets of the persons causing the damage, their representatives or intermediaries.
19To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?
In the UK, it is a criminal offence to breach the prohibition or fail to comply with the reporting obligation provided in the Blocking Regulation. This offence is punishable by an unlimited fine.
If a UK national or incorporated entity wishes to comply with any listed extraterritorial sanctions in the Blocking Regulation, authorisation must first be obtained from the European Commission. Applications must be made in writing to the Commission, which will consider whether sufficient evidence has been provided that the interests of the applicant or the European Union would be seriously damaged by non-compliance, based on 14 criteria set out in Commission Implementing Regulation (EU) 2018/1101. Authorisation is effective on the date when it is notified to the applicant.
To date, no UK nationals or UK-incorporated entities have been prosecuted for a breach of the Blocking Regulation.
Before an internal investigation
20How do allegations of misconduct most often come to light in companies in your country?
In addition to the normal means for identifying misconduct, such as audits, screening procedures and whistleblowing, UK companies can become aware of allegations of misconduct through cybercrime or data breaches (e.g., the Unaoil and Panama Papers cases) and due diligence carried out in relation to commercial transactions, including mergers and acquisitions.
Allegations may also arise in hearings, such as employment tribunals and litigation proceedings.
21Does your country have a data protection regime?
The UK implemented the Data Protection Act 2018 (the DPA 2018) to complement the GDPR. The GDPR has direct effect across all EU Member States and applies directly to all organisations processing personal data within the European Union. However, it allows Member States limited opportunities to make provisions for how it applies in their country. The DPA 2018 essentially provides the details of local derogations, such as law enforcement processing. The two must therefore be read side by side. This new legislation supplements existing UK laws such as the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000, and directly applicable EU legislation, such as the Privacy and Electronic Communications Regulations.
22To the extent not dealt with above at question 8, how is the data protection regime enforced?
In publishing its first intended fines for serious cybersecurity incidents post-GDPR, the ICO has demonstrated its intention to use the full force of its powers. In July 2019, the ICO reported its intention to fine British Airways £183.39 million in relation to a cyber incident involving the compromise of personal details of around 500,000 customers; similarly with the ICO’s reported intention to fine Marriott International, Inc more than £99.2 million in relation to a cyber incident whereby the records of approximately 339 million guests globally were exposed.
23Are there any data protection issues that cause particular concern in internal investigations in your country?
Typically, a considerable amount of evidence will be reviewed in the course of any internal investigation and must be handled carefully to ensure compliance with the DPA 2018. It is very likely that it will be necessary to conduct a data privacy impact assessment before processing any information. Decisions taken with regard to the processing and disclosure of data should be made in accordance with the DPA 2018, and all reasons for those decisions should be documented. If any of the data reviewed contains or may contain personal data, particularly sensitive personal data, extra care should be taken. Firms should seek legal advice with regard to what additional measures should be taken in relation to this material. This includes whether redaction of any personal information is required and whether this would be an appropriate mechanism to avoid any data protection breaches.
Further, extra care should be taken in circumstances where there may be a transfer of the data outside the European Union or a jurisdiction with an adequacy decision (i.e., a jurisdiction that offers an equivalent level of protection to data as in the European Union).
24Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?
A range of factors must be taken into account when considering the monitoring of employee communications. These typically fall into two categories:
- review of emails sent and received by an employee; and
- intercepting emails before receipt.
In relation to the review of emails sent and received by an employee, the situation broadly involves considerations under the GDPR, the DPA 2018 and the Human Rights Act 2000. The processing of emails through review will require an employer to consider the extent to which it can satisfy a lawful condition of processing under the GDPR with balancing the data subject and privacy rights. However, consent is not typically a basis upon which such processing would take place as consent, under the GDPR, has to be freely given and the ICO has stated that it is unlikely that consent could be so considered in an employer–employee relationship in view of the imbalance of power.
If monitoring does take place, this will often be overt monitoring, in that the employer will set out in its information technology (IT) use and privacy policies that they retain the right to access emails and messages sent and received on employer-issued devices.
The ICO issued guidance prior to the implementation of the GDPR that, at the time of writing, has not been updated but recommends that covert monitoring only takes place in exceptional circumstances; for example, for the detection of crime.
It is essential, if monitoring is taking place, that the employer ensures that it is proportionate and undertaken only for as long as is necessary.
The GDPR sets out circumstances in which it is mandatory to conduct a data protection impact assessment, which includes assessing when processing is likely to result in a high risk to data subjects. As a matter of good practice, it may be prudent to work through a risk assessment prior to processing even when the high threshold has not been triggered, so that essential security and data minimisation measures are considered and adopted where necessary.
Up to 27 June 2018, the Provisions of the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) governed the interception of electronic communications during transmission. Since that date, these have been replaced by the Investigatory Powers Act 2016 (IPA) and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (S 2018/356) (the 2018 Regulations).
Under the IPA, it is a criminal offence to intercept communications without lawful authority. Although the 2018 Regulations include the detection of crime as authorised conduct in certain circumstances, given the criminal implications of interception without proper authority, every case must be assessed on its merits to ensure that the relevant standards are met.
Dawn raids and search warrants
25Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.
Authorities that investigate corporate crime in the UK, such as the SFO, often conduct dawn raids of business or residential premises under the authority of a search warrant issued by a court. Depending on the specific powers of the law enforcement agency conducting a raid, the raid is often undertaken in coordination with a local police force.
When a raid is carried out under a warrant, the authority may only search the premises specified in the warrant and seize items within the scope of the warrant.
In England, Wales and Northern Ireland, certain categories of material, such as confidential journalistic material or personal records created in the course of a business (e.g., patient records in a medical practice) cannot be seized during a raid without additional authorisations being obtained, in some circumstances from particular courts. Different rules apply in Scotland.
In the UK as a whole, legally privileged material cannot be seized unless it was created with the intention of the furtherance of a crime (crime-fraud exception) or is inextricably linked to other, seizable material. In that case, it can be seized but must be sifted to exclude as far as possible any privileged material from the investigating team at the law enforcement agency. In England and Wales, a typical approach is for material subject to a claim of legal privilege to be examined by an independent lawyer before it is examined by the investigating team (and any privilege material excluded). The use of this power is also subject to the Criminal Justice and Police Act 2001, which entitles a corporate’s legal representative to be present at a review of the material and apply to a judge for the material to be returned. In Scotland, there is no statutory framework for dealing with privilege issues and there may be a need to apply to the courts for the seizure of privilege material to be suspended.
The CMA may conduct a dawn raid of business premises without a warrant.
Some authorities have additional powers that can be exercised during a dawn raid, for example, the SFO and the CMA may compel a person to answer questions relevant to the search, such as regarding the location of certain documents.
If there are significant errors in either the process of obtaining a warrant or authorising a raid, or in the execution of a raid, the raid can be challenged by judicial review and rendered unlawful and the material seized during the raid could be rendered inadmissible.
The Law Commission is reviewing the law governing search warrants. A consultation on the issue closed on 5 September 2018. The Commission’s report and recommendations are still awaited.
26How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?
As a general rule, legally privileged material cannot be seized during a dawn raid unless the crime-fraud exception applies or where it is inextricably linked to seizable material (as described in question 25), in which case other safeguards, including those set out in question 25, should be adhered to. However, in relation to certain competition investigations, the European Commission does not regard advice from in-house lawyers as legally privileged, so it may seize such material during raids or inspections.
In England, Wales and Northern Ireland, the authorities that investigate corporate crime are routinely accompanied during raids by an independent lawyer specifically tasked with reviewing on-site any material that a company asserts as privileged. It is, therefore, important to be aware of where privileged material is likely to exist so that assertions can be made before items are seized.
If there is a dispute regarding privilege, the authority will seize the material by sealing it in an opaque bag for review by an independent lawyer at a later date. The company is entitled to have its legal representative present during that review.
Digital devices containing both privileged and non-privileged items that cannot be separated may be seized or imaged during a raid. In practice, the privileged material will then be quarantined by digital forensic experts within the authority by applying search criteria provided by the company.
27Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?
In England, Wales and Northern Ireland, there is a qualified right of silence when being interviewed as a suspect, and a defendant in a criminal trial has a right not to give evidence. In both situations, the right is qualified as, in certain circumstances, adverse inferences can be drawn from this silence.
However, in Scotland the right to silence is not qualified and no negative inference can be drawn from an interviewee’s refusal to answer questions.
A right of silence does not apply when an authority such as the SFO, FCA or CMA exercises specific statutory powers by issuing a notice compelling a witness to answer questions or produce documents. Failure to comply with such a notice without a reasonable excuse can result in a criminal offence. However, the contents of a compulsory interview under these powers cannot be used against the individual except in a prosecution specifically for making a false or misleading statement in that interview. In practice, complications can arise when an individual is initially a witness compelled to produce evidence and then later becomes a suspect in a criminal investigation. Any evidence provided in the subsequent interviews conducted under caution can be adduced against the individual.
Whistleblowing and employee rights
28Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?
The Public Interest Disclosure Act 1998 and the Public Interest Disclosure (Northern Ireland) Order 1998, as amended, combined with the Employment Rights Act 1996 and the Employment Rights (Northern Ireland) Order 1996, offer statutory protections to whistleblowers.
The dismissal of an employee will be automatically unfair if the principal reason for dismissal is that the individual has made a qualifying ‘protected disclosure’. Workers and employee are also protected from detrimental treatment (e.g., harassment, reduction in pay or dismissal) on the ground that they have made a qualifying protected disclosure.
There is no requirement for a minimum period of service nor is there any financial cap on the amount of compensation that can be awarded. An employee alleging automatic unfair dismissal on the grounds of being a whistleblower may make an immediate application for interim relief which may result in effective reinstatement. A successful automatic unfair dismissal claim could also result in the individual being reinstated as an employee, although this is rare.
There are no financial incentive schemes in the UK for whistleblowers.
29What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?
Suspension pending investigation
Employment legislation does not specifically deal with suspension but case law and guidance issued by the Advisory, Conciliation and Arbitration Service (ACAS, a public body funded by the UK government), in the form of the ACAS Code of Practice on Disciplinary and Grievance Procedures (the ACAS Code), requires that employees only be suspended where this is necessary and that the period of suspension be as short as possible. It is also important that employees be informed, preferably in writing, of the nature of the allegations made against them (whether in relation to an internal or external investigation) and, in most cases, suspension should be on full pay and with no loss of benefits. Any failure to follow these principles can result in a breach of the ACAS Code and a repudiatory breach of contract. In Northern Ireland, similar provisions apply, pursuant to the Labour Relations Agency, Code of Practice on Disciplinary and Grievance Procedures (the LRA Code).
The right to a fair hearing
The disciplinary process should be carried out in accordance with the ACAS Code. As a minimum, it should include an investigation to establish the facts before proceeding to a disciplinary hearing (assuming there is a case to answer). In good time ahead of a disciplinary hearing, the employee must be informed of the allegations against him or her and the right to be accompanied at the hearing by a colleague or a trade union representative. During the hearing, the accused should be given a full opportunity to answer the allegations before any decision is made by the employer.
Employers should carry out their own disciplinary process irrespective of any third party finding of guilt (e.g., the police). The employer is still required to follow a fair disciplinary process (in accordance with the ACAS Code) as far as possible. As stated above, in Northern Ireland, compliance with the LRA Code (rather than the ACAS Code) is required but also note that, unlike in Great Britain, statutory dismissal procedures have been retained.
These requirements can be relaxed when employees do not have the requisite length of service with their employer to bring an unfair dismissal claim (two years in Great Britain and one year in Northern Ireland); however, it is best practice to follow a fair process in dismissals, to avoid allegations of whistleblowing or discriminatory treatment.
The right not to be unfairly dismissed
All employees with the requisite length of service have the right not to be unfairly dismissed. In the case of a successful claim, an employment tribunal can order reinstatement or re-engagement, or award compensation. In most cases in Great Britain, compensation is capped at one year’s pay or £86,444 (whichever is lower) plus a basic award of up to £15,750. In Northern Ireland, the one-year pay cap does not apply and unfair dismissal compensation is capped at £86,614, plus a basic award of up to £16,410, although in certain situations, employees can argue that this compensation cap should be disapplied.
The requirement for length of service and the statutory caps on compensation do not apply where the employee successfully alleges that the principal reason for dismissal is that the individual made a qualifying protected disclosure.
Company director considerations
Directors may also be employees (in which case the above will apply in tandem with any specific issues regarding directors’ duties). A director who is not an employee (a non-executive director) will not be subject to the above rules. However, directors are subject to general duties, which are set out in the Companies Act 2006, contained within a company’s articles and may also be set out in any letter of appointment. The company’s articles and any relevant letter of appointment will include provisions regarding the removal of a director who has acted in breach of one or more of his or her duties under the Companies Act. There are additional regulations that apply to directors of public companies.
30Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?
Rights regarding suspension, the right to a fair hearing and the right not to be unfairly dismissed all apply to employees who may have engaged in misconduct. In general, there is no strict employment law requirement to suspend or discipline those suspected of misconduct; that is a decision for the employer. Some heavily regulated employers, such as those within the financial services sector, may be required by their regulatory body to suspend and take disciplinary action against employees who carry out regulated activities. In some cases, an employee’s misconduct must be reported to the regulator. Employees may also be regulated themselves and will have specific obligations towards the regulator.
Failure to take disciplinary action could be regarded by an authority as evidence of poor corporate culture. Furthermore, failure to suspend or dismiss an employee who is capable of impeding a criminal investigation by destroying documents or alerting or interfering with witnesses, could be regarded as obstruction of the criminal investigation.
31Can an employee be dismissed for refusing to participate in an internal investigation?
In general, a request to participate in an internal investigation will be a reasonable management instruction and any unreasonable refusal to engage in this process may constitute misconduct in itself. Whether or not an employer could fairly dismiss in these circumstances will depend upon the whole context and in particular the seniority of the employee. At all times, it is important that the employer does not interrogate or put pressure on the employee to make admissions of guilt, and a range of safeguards as to how the investigation is conducted should be considered, to ensure fairness to the employee.
Commencing an internal investigation
32Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?
It is good practice to prepare an initial scope of an internal investigation, potentially with a written investigation plan, with target deadlines and a clear set of tasks where possible, before commencing the investigation proper, setting out:
- its purpose;
- the issues to be investigated;
- the investigation team and reporting lines;
- how legal privilege will be established and maintained (e.g., the investigation team is instructed by and reports to a lawyer);
- how digital and hard copy material will be collected and preserved;
- how staff interviews will be conducted; and
- any other necessary immediate controls or steps, such as ceasing all future payments to suspect third parties.
The scope of an internal investigation and the client team may need to be kept under review, depending on factual findings and other developments that are possible at different stages in the investigation.
33If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?
In UK law, there are generally no formal legal obligations on a company to conduct an internal investigation into its own affairs. However, conduct rules applicable to some companies by the bodies that regulate them may mean an internal investigation is strongly recommended or even required. Generally, from an effective compliance perspective, a company should always investigate an issue as soon as it comes to light to enable the company to take the steps set out below (see also question 36).
The company will also need to consider whether a money laundering report is needed in accordance with the Proceeds of Crime Act 2002 (UK-wide application) and whether any additional report is required for the police in Northern Ireland or Scotland to comply with specific legislation that is applicable in those jurisdictions. In addition, the company should:
- stop the offending behaviour, otherwise the company could be exposed to a risk of criminal liability itself for allowing potential offending to carry on unchecked and uninvestigated. Additionally, if the offending conduct has ceased and the company is aware or suspects that it possesses funds obtained from the conduct, but it fails to take any action in regard to those funds, for example making a suspicious activity report to the NCA, the company could commit a further money laundering offence;
- preserve all documents and material relevant to the issue. If a law enforcement authority becomes aware of the matter, it would expect the company to have taken all necessary steps to protect and preserve all material that would be relevant to its criminal investigation (including by taking forensic images of digital material) so that the material could be provided to them eventually. Failure to do so could impede a criminal investigation and would be viewed as a lack of co-operation by an authority. Furthermore, it can be a criminal offence to destroy, falsify, conceal or dispose of relevant documents when a person knows or suspects an investigation of serious or complex fraud is already being, or is likely to be, undertaken by certain law enforcement agencies.
- take remedial or preventive action to ensure that the offending behaviour cannot occur in the company again.
If a company has failed to take any steps to address an allegation of bribery, it is unlikely that it would be able to rely upon the ‘adequate procedures’ defence in the event of a prosecution of corporate failure to prevent bribery under the Bribery Act 2010.
34What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?
Upon receipt, the notice or court order should be sent immediately to the appropriate person within the business, whose function is to deal with such external matters (usually within the legal department). All steps should be taken to ensure that evidence that may be relevant for production under the notice or court order is not deliberately or inadvertently lost, destroyed or altered, and that any individuals who may be involved in possible wrongdoing are not tipped off. The exact scope of the request should be determined, and clarifications sought if the scope is unclear. The deadline for responding should also be diarised. It is advisable to seek external legal advice if the legal department is inexperienced in dealing with such matters.
To the extent that a company has an internal policy setting out the steps to be taken upon receipt of a notice or court order, this should be followed. Among other steps, the company should consider circulating document retention notices to ensure all relevant data is preserved, taking forensic images of all potentially relevant data sources (e.g., laptops, PCs, tablets, phones), and compiling a database that can be interrogated for documents falling within the request.
Once reviewed for relevance, the results should be double-checked for privilege and copies retained of anything provided to the authorities.
35At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?
Privately owned companies are not required to publicly disclose the existence of internal investigations or contact from law enforcement.
Under the UK Listing Rules, publicly listed companies must issue a market announcement of any major new development that may affect their business without delay, if the development may lead to a substantial share price movement. A notice compelling the provision of documents would be unlikely to require an announcement, but confirmation from the authority that the company was a suspect in a criminal investigation would be likely to require an announcement.
Organisations that are authorised by the FCA also have an obligation to disclose to it anything relating to the firm of which it would reasonably expect notice. This would include breaches of UK laws and regulations, civil, criminal or disciplinary proceedings against a firm and fraud, errors and other irregularities.
36How are internal investigations viewed by local enforcement bodies in your country?
UK authorities have publicly stated that they are not opposed to internal investigations that are carried out in a manner that would not impede a criminal prosecution. They expect data gathering exercises to be carried out promptly, covertly and coordinated across multiple sites simultaneously. ‘Covert’ in this context is intended to ensure potential suspects in a later criminal investigation are not tipped off prior to data collection and so given an opportunity to destroy or delete incriminating material. It does not mean that companies should conduct internal investigations in a manner that involves unlawful surveillance or data gathering techniques (whereby they could be separately liable for other offences). In practice, digital material should be forensically imaged and preserved by IT specialists. All procedures used to gather and image data should be recorded and then fully disclosed to the relevant law enforcement authority.
Additionally, UK authorities expect that full and accurate accounts are taken during any witness interviews and, in some circumstances, consideration may need to be given to whether certain interviews should be conducted at all. This is particularly important if there is a risk of criticism that a corporate conducted an interview knowing a law enforcement agency would wish to speak to a witness first and obtain a first account from a witness prior to any internal investigation or review.
The SFO has repeatedly said that it expects to be given interview notes by corporates seeking to demonstrate co-operation in their investigation. While this is tempered to an extent by an acknowledgement that disclosure is not required when legal professional privilege applies, where such a claim is without foundation, co-operation is likely to be cast into doubt in the absence of such disclosure.
Prior to the Court of Appeal decision in September 2018 in SFO v. ENRC, provision of interview notes would normally be expected by the SFO in the event of any self-report by a corporate, and any claims of privilege over those accounts were uncertain (and likely to be contested by the SFO).
Following ENRC, there are now more established grounds for litigation privilege to apply to interview notes, depending on the factual context of an internal investigation (see further at question 37).
37Can attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?
Legal professional privilege has traditionally been claimed over various aspects of internal investigations, which, in recent years, has increasingly been disputed by law enforcement authorities. However, in a 2018 Court of Appeal case, Eurasian Natural Resources Corporation Limited (ENRC) successfully repelled a challenge by the SFO relating to claims of privilege by ENRC. The SFO sought to challenge claims to privilege by ENRC regarding various documents that were produced by lawyers and forensic accountants during an internal investigation into allegations of bribery and corruption that had arisen from a whistleblower report. The documents in question fell into four categories:
- category 1: notes taken by lawyers of interviews conducted during an internal investigation;
- category 2: materials generated by forensic accountants as part of a ‘books and records’ review;
- category 3: documents, such as a presentation slides, containing or surmising factual evidence, that were used by lawyers to present to ENRC; and
- category 4: emails between a senior executive and the head of mergers and acquisitions at ENRC, who was a Swiss qualified lawyer.
The Court of Appeal held that documents falling into categories 1, 2 and 4 were protected by litigation privilege. The High Court had already held that the factual updates provided in category 3 were protected by legal advice privilege.
In short, the Court of Appeal held that a criminal investigation by the SFO could be ‘litigation’ for privilege purposes and that while a party anticipating possible prosecution will often need to make further investigations before it can say with certainty that proceedings are likely, that uncertainty does not in itself prevent proceedings being in reasonable contemplation. The fact that ENRC did not have the information required to evaluate the whistleblower email, therefore causing it to be uncertain as to whether a crime had in fact taken place, was not a bar to having the protection of litigation privilege. The Court opined that it would be wrong to deny a potential defendant the benefit of litigation privilege when he or she asks his or her lawyer to investigate the circumstances of the alleged offence. It concluded that ENRC did contemplate that prosecution was possible when the documents in question were created and these documents were therefore protected by litigation privilege. Much of the reasoning of the Court of Appeal decision is highly fact specific in the circumstances of the ENRC case. Therefore, the judgment should not be interpreted to extend litigation privilege to all documents created in all internal investigations.
While the question of whether or not privilege will apply remains fact specific, there are nevertheless several standard ways to advance and strengthen any legitimate claim to privilege, such as:
- involving lawyers (whether external or internal) as soon possible;
- marking all communications pertaining to legal advice as ‘privileged and confidential’;
- segregating privileged and non-privileged documents;
- refraining from forwarding or creating new documents that summarise legal advice received;
- encouraging employees not to amend or quote extracts from legal advice;
- where there is the reasonable possibility of potential litigation at a later stage, recording this in writing when the future possibility arises in an internal investigation, to evidence any subsequent legitimate claim for litigation privilege; and
- only circulating legal advice and privileged material on a strictly need-to-know basis.
Parties are able to obtain legal advice in the context of an internal investigation, and communications between a lawyer and a client for the purposes of legal advice continue to be privileged under legal advice privilege principles. These principles generally do not protect communications involving third parties. However, the Court of Appeal in ENRC has expressly left open a question as to whether aspects of current UK law on legal advice privilege (see the Bank of England BIU case) should be reviewed at a later date by the UK Supreme Court. It is therefore likely that the subject of privilege in internal investigations will be a matter of ongoing development of UK law.
38Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?
There are two main forms of legal professional privilege in the UK: (1) legal advice privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client (but not communications with third parties) provided that the communications are for the dominant purpose of seeking and receiving legal advice; and (2) litigation privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).
The holder of the privilege is the client.
In the case of corporate investigations, the client tends to be represented by the group of individual employees or directors charged with seeking and receiving legal advice on behalf of the company (or commissioning or conducting the internal investigation) rather than the entire corporate entity. This group of individuals usually includes the in-house legal team and some or all of the board of directors or subcommittee established by a company, but this group should be defined as soon as any external lawyers are engaged or at the outset of an investigation. This helps to ensure that there is a defined group from whom instructions by lawyers can be received and to whom advice is provided, which safeguards any claim of legal advice privilege.
39Does the attorney–client privilege apply equally to in-house and external counsel in your country?
Yes, although not in the context of an antitrust and competition investigation by the European Commission. In-house counsel must always be careful to ensure that they distinguish between legal advice and advice that is commercial in nature, since the latter will not attract legal professional privilege.
40Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to (internal or external) investigations in your country?
Advice sought from foreign lawyers in investigations in the UK is subject to the same legal professional privilege as advice sought from lawyers within the UK. The UK courts will apply UK law on privilege to determine the extent to which privilege applies. If a document satisfies the test for legal advice privilege or litigation privilege under UK law, the document will be treated as privileged. This decision is made regardless of whether that document would not have been privileged under a foreign law.
This principle can have the opposite effect in respect of any documents that would be privileged under foreign law but do not meet the requirements for privilege under UK law. Such foreign privileged documents would not attract legal professional privilege in the UK.
41To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?
UK authorities have frequently stated that they have no interest in communications between a client and its lawyers as to questions of liability or rights; however, in recent years, law enforcement agencies such as the SFO have challenged assertions of legal professional privilege over factual aspects of internal investigations and have expected the waiver of claimed legal professional privilege in the event of any self-report.
The authorities have stated previously that a refusal to waive a well made-out claim of legal professional privilege will not be held against a company, but a waiver of such a claim would be good evidence of co-operation. False or exaggerated claims of legal professional privilege will continue to be considered strong evidence of not co-operating and will be challenged.
The 2018 ENRC Court of Appeal judgment has confirmed that even when a party may lead the SFO to believe that it might in future waive privilege over certain documents, this does not in itself amount to a waiver of privilege and would only amount to such a waiver in the event of a formal agreement.
In summer 2019, the SFO issued some long-awaited guidance on its requirements for a company to be considered to be adopting a co-operative approach with the SFO in relation to allegations of fraud, bribery, money laundering and a failure to prevent the facilitation of tax evasion, which will influence its charging decisions. Other regulators may refer to the guidance in assessing whether the subject of an investigation has co-operated. In relation to legal professional privilege, the guidance provides that ‘if the organisation claims privilege, it will be expected to provide certification by independent counsel that the material in question is privileged’.
With regard to witness accounts collated in the course of internal investigations (presumably prior to reaching a conclusion that there was a potential corporate offence that should be notified to the SFO), companies are expected to provide those witness accounts to the SFO as a mark of co-operation.
42Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?
There is a concept of limited waiver of legal professional privilege, and it is for the individual or entity waiving the privilege to determine the extent of the waiver.
It is important to be very clear as to the scope of the waiver with regard to the purpose for which the privileged information can be used and with whom it can be shared, particularly if a party seeks to prevent the information being shared with other domestic or foreign enforcement authorities or parties in any related civil proceedings. Generally, there are various gateways where evidence is shared between law enforcement agencies in the UK (and sometimes elsewhere), and proposals for a limited waiver from a corporate may not be acceptable to a law enforcement agency given the wider duties of disclosure or information-sharing.
43If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?
This will depend on a number of factors, including the terms of the waiver, the circumstances in which the material was received by the UK authority, and whether the UK authority disputes the claim of privilege, for example, if the UK authority asserts that the material falls within the crime-fraud exception.
44Do common interest privileges exist as concepts in your country? What are the requirements and scope?
Common interest privilege exists in the UK and can be used to preserve privilege in documents disclosed to third parties who have, at the time of the disclosure, a common interest in the subject matter of the privileged document or the litigation for which the document was created.
It is advisable when disclosing information under the common interest privilege to ensure that the recipient understands that the document has been disclosed on this basis and to obtain undertakings from the recipient that the privilege will not be waived. Typically, in criminal-related investigations, common interest privilege has very limited practical scope, because it is often in doubt whether two parties do, in fact, have a common interest.
45Can privilege be claimed over the assistance given by third parties to lawyers?
Privilege can be claimed over confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).
46Does your country permit the interviewing of witnesses as part of an internal investigation?
An internal investigation is a fact-finding exercise and interviews will often be central to any internal investigation. However, it is advisable always to be sensitive to the expectations of investigating authorities, to avoid any criticism that such interviews could have prejudiced the law enforcement investigation.
47Can a company claim attorney–client privilege over internal witness interviews or attorney reports?
While privilege is often claimed over internal witness interviews, UK authorities, such as the SFO, have stated in the past that they do not accept that the factual accounts of a witness interview are privileged and disapprove of such claims. This culminated in an unsuccessful challenge by the SFO over materials produced during an internal investigation on behalf of ENRC (see question 37), in which the Court of Appeal held that factual notes of what is said by a witness to a lawyer constituted a privileged document on the particular facts of the ENRC case.
It should also be borne in mind that in situations where proceedings are not in contemplation, communications between interviewees and counsel not made in the course of giving instructions to counsel will not attract litigation privilege or legal advice privilege. Only communications between counsel and those entrusted by the company to give instructions to counsel will attract legal advice privilege.
As stated under question 41, in summer 2019, the SFO issued some long-awaited guidance on its requirements for a company to be considered to be adopting a co-operative approach with the SFO, which includes guidance on witness interviews.
48When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?
Although there are no general, formal requirements when conducting witness interviews as part of an internal investigation, best practice dictates that, irrespective of whether the interviewee is an employee or a third party, they should be informed:
- that the interview is part of a fact-finding exercise and, if applicable, in contemplation of litigation;
- if they are implicated in any wrongdoing;
- that the lawyer conducting the interview represents the company and not the interviewee;
- that the interview notes created by the lawyer belong to the company and therefore any privilege in the notes rests with the company;
- the company may choose to provide the notes to an authority (and this is at its election); and
- that the interview is confidential and the contents of the interview should not be discussed with other employees or witnesses (to avoid contaminating their recollection and generally to protect the integrity of the process).
Care should also be taken not to taint the witness’s recollection, for example by disclosing previously unseen material or discussing another witness’s statement.
49How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?
It is common for interviewees not to be legally represented in initial fact-finding interviews during internal investigations; however, companies should not refuse a request from an individual to be legally represented at his or her own expense. In other circumstances, for example where an employee may incriminate himself or herself during an interview, there are compelling ethical reasons why a company may suggest that an employee may wish to obtain his or her own independent legal advice.
Documents can be put to the interviewee. A copy of each of the documents referred to or an interview pack should be retained as part of the record of the interview, as a matter of good internal investigation practice.
Reporting to the authorities
50Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?
The Proceeds of Crime Act 2002 (POCA) places a specific duty on employees of regulated businesses (i.e., financial services firms and professional services such as lawyers and accountants) to make a report to the NCA when they have reasonable grounds to know or suspect that another person is engaged in money laundering and that knowledge came to them within the course of their regulated business. Failure to make a report in those circumstances carries a risk of imprisonment or a fine, or both, for individuals (and fines for companies), unless, in the case of individuals, they have reported to their firm’s money laundering reporting officer (MLRO). Other similar offences arise in the case of MLROs who have failed to report to the NCA, given their designated statutory duties to do so.
All companies (regulated and non-regulated) should make a report to the NCA if the company has a suspicion that it possesses funds obtained as a result of suspected criminal conduct by the company or employees, as this may be a money laundering offence under POCA. Other offences can arise if transactions involve the facilitation of money laundering offences by other persons. A report to the NCA of any of these types of suspicions can provide a statutory defence to money laundering if made as soon as practicable.
A money laundering report to the NCA is not a self-report for the purposes of a DPA (see question 51) or mitigation of sentence. A self-report must be made directly to the relevant authority, such as the SFO.
In Scotland, there is an obligation to report any knowledge or suspicion of serious organised crime to the police when this knowledge or suspicion originates from information obtained in the course of business or as a result of a close personal relationship (Criminal Justice and Licensing (Scotland) Act 2010). In Northern Ireland, additional reporting duties apply under the Criminal Law (Northern Ireland) Act 1967.
51In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?
The question of when and whether to self-report in the UK has been the subject of considerable debate following the Rolls-Royce case, which involved a DPA, notwithstanding that there was no self-report by Rolls-Royce.
A DPA is an agreement reached between a prosecutor and a company under investigation and approved by a court. The agreement allows a prosecution to be suspended for a defined period provided the organisation meets certain specified conditions. If the conditions are met, the prosecution is formally discontinued. (For further information about the DPA process in the UK, see question 65.) Prior to the DPA agreed in Rolls-Royce in January 2017, it was considered advisable for a company to self-report if it wished a matter to be settled by way of a DPA; the SFO had articulated that one of the preconditions of a DPA was a genuinely proactive approach by the company, including a full self-report (i.e., complete disclosure of the facts).
However, the stance that a self-report was a precondition to a DPA was put into some doubt in light of the DPA secured by Rolls-Royce in circumstances that did not follow a self-report. The SFO, and indeed the court in approving the DPA, has emphasised that the circumstances in which Rolls-Royce secured a DPA, notwithstanding that it had not self-reported, were due to the extraordinary level of co-operation with the SFO that followed once the offending conduct was already in part known to law enforcement authorities. The ‘extraordinary co-operation’ that was commended in the court’s judgment included a comprehensive internal investigation that extended beyond the original allegations known to the SFO, the results of which were made available to the SFO; disclosure of unreviewed documents; access to witnesses who had not previously undergone interviews by the company; and a limited waiver of any claim for legal privilege – all of which, the judgment suggests, brought to light conduct that otherwise may not have been exposed.
As stated in question 41, the SFO has now issued guidance on what it considers amounts to co-operation with its investigations, including a requirement to report a suspected fraud or bribery within a reasonable time of the suspicion arising. The guidance makes it clear that co-operation will be a relevant factor in making charging decisions (i.e., whether to prosecute, recommend a DPA or take no further action). There is no presumption that self-reporting will lead to no further action.
The SFO does not publish details of the self-reports that have led to no further action. Whether a DPA will be available in the absence of a self-report in future remains to be seen, but the benefits of so doing were highlighted recently in a case brought by the SFO against company director Carole Ann Hodson. The new company owners became suspicious and reported their concerns to the SFO, which launched an investigation into the company, its officers, employees, agents and associates. Hodson was then prosecuted and convicted. No action has been taken against the company – a reminder of the potential benefit of self-reporting by companies in appropriate cases, when the public interest may be served by taking action against the former owners and wrongdoers, rather than the company itself.
The question of when, and indeed whether, to self-report came into sharp focus again in relation to the Tesco Stores Limited DPA and subsequent acquittal of its senior executives. After discovering issues in the executives’ financial statements, Tesco referred itself to enforcement authorities. On 10 April 2017, Tesco entered into a DPA in respect of false accounting charges. This decision has subsequently been called into question by some following the collapse of the trial of two Tesco executives accused of the same false accounting. The judge concluded that the SFO’s evidence, taken at its highest, was such that a jury could not properly convict. The SFO subsequently offered no evidence at the trial of a third director.
A charge of accounting fraud, however, requires the conviction of a senior executive, or ‘directing mind and will’, to bind the guilt of the company. In short, the company cannot be guilty without the guilt of the senior executive. This contrasts with the corporate offence of ‘failure to prevent bribery’ under the Bribery Act, which does not depend on the guilty mind of a senior executive. If a company pleads guilty to a fraud offence, such as accounting fraud, at an early stage and secures a DPA, there is a risk that a jury, on consideration of the complete evidence at a later stage, will not be satisfied beyond reasonable doubt that the relevant individual is guilty. Therefore, companies must carefully assess the evidence against them before entering into a DPA. In cases that do not involve a ‘failure to prevent’ offence, the company may be hesitant to enter into a DPA given the difficulties of prosecuting these offences. The importance of making the correct decision is reinforced by the expense of a DPA and the requirements of extensive co-operation with the SFO.
DPAs are only available to corporate defendants and not to the individual employees or directors involved in the criminal conduct.
52What are the practical steps you need to take to self-report to law enforcement in your country?
Before making a self-report, a company should undertake the appropriate level of investigation to ascertain the extent and nature of the offending, ensuring that the company will not be taken by surprise by further issues that could arise in the course of a criminal investigation.
UK authorities have advised that for a company to be afforded full credit for making a self-report, it must be made within the context of a genuinely proactive and co-operative approach by the company. The SFO’s Corporate Co-operation Guidance sets out the steps it expects an organisation to take to demonstrate such co-operation.
The SFO’s outline of the process to be adopted by corporate bodies or their advisers when self-reporting provides that:
- initial contact, and all subsequent communication, must be made through the SFO’s Intelligence Unit, using the secure reporting form;
- hard copy reports setting out the nature and scope of any internal investigation must be provided to the SFO’s Intelligence Unit;
- all supporting evidence, including, but not limited to, emails, banking evidence and witness accounts, must be provided to the SFO’s Intelligence Unit; and
- further supporting evidence may be provided during the course of any ongoing internal investigation.
In Scotland, the COPFS’s self-reporting policy, which applies in relation to corporate bribery offences, requires a written report to be submitted on the company’s behalf by a solicitor.
Responding to the authorities
53In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?
It is both possible and desirable to enter into a dialogue with the authority before or upon receipt of a notice or warrant to discuss any concerns the company has, for example that the deadline for compliance is unreasonable, or the description of the information and documents requested is unclear.
The authority should be willing to discuss such concerns and work with the company to find a reasonable and practical solution, so long as the result is that the relevant information and documents are ultimately received in a timely fashion. With regard to search warrants served on businesses, the police do not usually contact a business to discuss the terms of a warrant prior to turning up and executing the warrant. However, depending on the circumstances, the police may be willing to discuss the implementation of the warrant to avoid unnecessary disruption to the business’s legitimate activities and the risk of the warrant being challenged.
Materials subject to legal professional privilege may be withheld when responding to a search warrant. Warrants often do not address how privileged materials should be handled, and dealing with issues of privilege tends to be a matter for negotiation. The legal agent for the company should object to privileged materials being reviewed or seized and offer to set aside potentially privileged materials for review by the company’s legal agent subsequently. If the authority will not agree to this course, it may be proposed to appoint independent counsel (usually an advocate, barrister or solicitor) to review potentially privileged material and to make a determination as to whether or not the material is, in fact, privileged. If the authority will not agree to proceed on that basis, the legal agent for the company should insist that any privileged material should be sealed, unread, and delivered to the court to enable it to adjudicate upon the matter. In the event that such suggestions are not acted upon by the authority, the company may need to seek to overturn the warrant by presenting to the court a judicial review (or a bill of suspension in Scotland). (See also question 26.)
54Are ongoing authority investigations subject to challenge before the courts?
The exercise of powers by any public authority, such as in undertaking an investigation, can be challenged by application to the court for a judicial review (a bill of suspension in Scotland) if considered to be unlawful.
If found to be unlawful, the court can order various remedies, such as stopping the exercise of that power, rendering it ineffective or awarding damages.
55In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?
While attempting to deal with notices or court orders issued by various jurisdictions as one consistent disclosure package would reduce effort and costs, it is generally advisable to deal with them separately but have protocols in place to ensure consistent approaches are maintained to any relevant documents to be produced. Court orders and notices issued under compulsory powers usually negate data protection laws and any obligations of confidentiality to third parties. Consequently, civil proceedings cannot be brought by third parties against a company for its actions in providing material in response to a lawful court order or compulsory notice as long as the material provided was within the scope of the notice or order. However, if the company voluntarily provides material beyond the scope of the notice or order, and in doing so breaches a confidentiality obligation or data protection law, it could expose itself to claims.
To avoid creating risks of civil and criminal liability, notices and orders should be responded to separately unless the company is able to satisfy itself that the scope of the orders or notices from each of the jurisdictions are identical in all important respects.
56If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?
In general, if information is in the control of a company (e.g., a parent company with a right to take possession, inspect or take copies of a subsidiary’s documents), the company will be expected, and may be required, to search for and produce all requested material, even when it is located in another country. In practice, if the company wishes to seek credit for co-operation, it should comply with any reasonable requests, whether or not it is required to. Also see question 10.
The exception is when the data protection legislation in the other country does not permit the removal or transfer of the data from that jurisdiction. In those cases, the requesting authority will generally need to use mutual legal assistance to obtain the material through foreign counterparts.
57Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?
The UK authorities can and do share information and investigative materials with authorities in various other countries (for intelligence purposes and the detection and prevention of crime), whether or not there is a mutual legal assistance agreement with that country. This occurs regardless of whether the country is providing information or materials in return, although reciprocity is generally expected.
Where material is required for a prosecution, a mutual legal assistance request must be made. UK law authorities will only provide assistance that conforms with the UK’s laws and international obligations.
A list of the international mutual legal assistance and extradition agreements to which the UK is a party can be found on the UK government website (www.gov.uk/government/publications/international-mutual-legal-assistance-agreements).
The UK authorities can provide further assistance by conducting dawn raids in the UK on the foreign authority’s behalf, interviewing witnesses or suspects, freezing assets, or arresting and extraditing suspects.
58Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?
Law enforcement authorities owe a general duty not to disclose information or material received during the course of an investigation, and which is not otherwise in the public domain, unless the public interest in the disclosure outweighs the private interests of the owner. Furthermore, before disclosing information to a third party, the law enforcement agency should provide the owner with sufficient notice of the request to allow an opportunity for objections to the disclosure (Marcel and Others v. Commissioner of Police of the Metropolis and Others  2 WLR 50). Any objections should be considered and advance notice should be provided of an intention to disclose regardless. Notice does not have to be given when it would be inappropriate or impracticable to provide notice, for example if it would prejudice an investigation by the law enforcement agency requesting the information (R (on the application of Kent Pharmaceuticals Ltd) v. Serious Fraud Office and another  All ER (D) 191 (Nov)).
Section 3 of the Criminal Justice Act 1987 further limits disclosure by the SFO to third parties. Information obtained during the course of an investigation by the SFO can only be disclosed to certain specific government departments or bodies, or competent authorities specified in the Act, and only for the purposes of any criminal investigation or criminal proceedings, whether in the UK or abroad and for the purposes of assisting any public or other authority under the order. The list of competent authorities is wide and includes anybody having supervisory, regulatory or disciplinary functions; however, it does not include liquidators, provisional liquidators, administrators or administrative receivers.
59How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?
In these circumstances, the company should not provide the documents, but should inform the requesting authority of the reason why these documents cannot be provided (i.e., that the data protection laws in the other country constitute reasonable excuse for lack of compliance).
60Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?
The collection and use of personal data in the UK are governed by the DPA 2018, including restrictions on the disclosure of personal data. Personal data is defined as data that relates to a living individual who can be identified from that data. However, broadly speaking, the non-disclosure provisions in the DPA 2018 do not apply if the material is requested by a notice or court order issued on the grounds that the material is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, the assessment or collection of any tax or duty, or of any imposition of a similar nature.
The term ‘blocking statute’ is generally not applicable except in the field of financial and trade sanctions, for which there is blocking legislation in relation to specific US sections that have extraterritorial application.
61What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?
When material is provided voluntarily and without restrictions, the authority is free to share it with third parties or other authorities, and to use it for any purpose.
In general, it is advisable only to provide material voluntarily having obtained contractual undertakings that agree the restricted basis on which the material has been provided (e.g., only for use by that authority in the course of an investigation and not to be shared with other parties).
While contractual undertakings restrict an authority’s ability to voluntarily provide material to other parties, they do not prevent third parties from obtaining court orders against the authority requiring production of the material. However, production orders should only be granted when it is in the interests of justice, and the fact that the material came into the possession of the authority under the restrictions imposed by the undertakings may lead a court to determine that it is not appropriate to grant a production order against the authority in that context, particularly as the third party could attempt to obtain the documents from an unfettered source, such as the company.
In general, authorities are restricted as to how they can share material they obtain as a result of exercising their compulsory powers or court orders, and customarily such material should only be shared where it is necessary for an investigation and the disclosure is proportionate.
Prosecution and penalties
62What types of penalties may companies or their directors, officers or employees face for misconduct in your country?
Penalties on conviction include imprisonment for individuals, fines, compensation and confiscation orders. Individuals can also be disqualified from being a director of a company for up to 15 years. When DPAs are agreed, monitoring may be imposed.
Companies convicted of certain offences, including active bribery and money laundering, must also be debarred from public tendering for up to five years.
Regulatory authorities can impose additional penalties. For example, the FCA can withdraw a firm’s authorisation and prohibit it from undertaking specific regulated activities for up to 12 months, prohibit individuals from carrying out regulated activities, or impose fines on firms or individuals. The Prudential Regulation Authority (the authority responsible for the prudential regulation and supervision of around 1,700 banks and other firms) can restrict a firm’s permission to conduct regulated activities or impose a fine.
63Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?
The Public Sector Procurement Directive (2014/24/EU) was transposed into UK law by the Public Contracts Regulations 2015. Under these Regulations, companies must be excluded from public procurement if they have been convicted in the past five years of any offences from a list that includes, among others, conspiracy, corruption, bribery, money laundering and fraud. The corporate offence of failure to prevent bribery (section 7 of the Bribery Act 2010) is not included in this list of offences and does not require mandatory debarment.
The Regulations also provide a list of offences that carry discretionary debarment for up to three years, including professional misconduct, non-payment of tax and distortion of competition.
However, the Regulations allow companies to recover eligibility to bid for public contracts following a debarment by demonstrating evidence of self-cleaning, such as the payment of compensation to the victim of the offending, clarification of the facts and circumstances of the offence in a comprehensive manner, co-operation with the investigating authority, and the implementation of appropriate measures to prevent further criminal offences or misconduct.
64What do the authorities in your country take into account when fixing penalties?
When fixing penalties following conviction, courts must have regard to the sentencing guidelines published by the Sentencing Councils for England and Wales, and Scotland.
Specific sentencing guidelines were published in 2014 for England and Wales in respect of corporate fraud, bribery and money laundering offences providing that, when sentencing a company, the court must first determine whether compensation or confiscation orders should be made.
Thereafter, the court should consider, inter alia, the following issues:
- the level of culpability and financial harm;
- the aggravating or mitigating factors, for example whether the criminal activity was endemic or whether the corporate offered full co-operation with the law enforcement authority during the investigation;
- the financial circumstances of the company; and
- the stage at which a guilty plea was entered (if the matter was not contested).
Resolution and settlements short of trial
65Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?
DPAs have been available in England and Wales (as a result of the Crime and Courts Act 2013) since 2014 as an alternative disposal for corporate offending. DPAs are not currently available in Scotland, where a civil settlement regime applies, or in Northern Ireland. Non-prosecution agreements do not exist in the UK.
The SFO and CPS have published a Code of Practice explaining the DPA process. Also, in summer 2019, the SFO issued guidance on what it considers amounts to co-operation with its investigations, including a requirement to report a suspected fraud or bribery within a reasonable time of the suspicion arising. The guidance makes it clear that co-operation will be a relevant factor in making charging decisions.
A prosecutor may invite, at its discretion, a corporate suspect into DPA negotiations if it determines that having identified the full extent of the offending, the evidential test has been satisfied and the public interest would benefit from a DPA. Until the Rolls-Royce case, the orthodox view was that a corporate will only be invited to negotiations where a self-report has been made and the corporate has fully co-operated with the authority. Following Rolls-Royce, it is possible that a DPA may be negotiated in wider circumstances, including when there has been no self-report but subsequent extraordinary co-operation by a corporate with the law enforcement authority.
If it is possible to agree the terms of a DPA and a statement of facts, the corporate will be formally charged with the criminal offence or offences and the matter will be brought before a judge for approval. The judge will only approve the DPA if satisfied that it is in the interests of justice and the terms are fair, reasonable and proportionate. The judge can adjourn the matter to obtain further information or clarification as to the facts or terms.
If judicial approval is given, the criminal proceedings will be suspended for a set period as defined by the terms of the DPA. The terms and facts of the DPA will then be published on the authority’s website.
If the corporate complies with the terms of the DPA, at the conclusion of the set period the criminal proceedings will be formally discontinued. If the corporate breaches the terms and the breach cannot be remedied, the criminal proceedings will resume.
DPAs carry the advantage of avoiding a conviction, affording the opportunity of speedier resolution (relatively speaking) and to continue trading under agreed parameters. They also enable the corporate to avoid the time and costs of an open-ended, lengthy and uncertain criminal investigation and trial that can adversely affect share price and access to finance, and cause difficulties in tendering.
The obvious disadvantage of entering into a DPA is if a corporate has substantially accepted its conduct would have constituted a criminal offence, and then will need to accept penalties based on a prosecution case that has not been tested at trial, where a corporate could potentially have been acquitted of the relevant charges (as in the Tesco Stores Limited case, as discussed in question 51). A further disadvantage to be carefully considered is that the terms of a DPA are likely to include regular monitoring and audit by an independent monitor (typically a large accountancy or law firm) for which the company will bear the costs.
At the time of writing, five DPAs have been agreed in the UK. The most recent of these was with Serco Geografix Ltd (a wholly owned subsidiary of Serco Group plc), relating to allegations of fraud and false accounting. Of particular significance was the ‘very substantial co-operation’ shown by Serco Group, which included not only waiving privilege in respect of certain accounting material and detailed, proactive and prompt reporting of the fraudulent conduct, but also co-operation with the SFO’s request not to engage in any internal inquiry of its own by way of interviewing witnesses during the SFO’s criminal investigation; instead Serco Group instructed an independent law firm to conduct a full document review and provided the SFO with a detailed report of the findings. It also notified the SFO of any developments within the business that could affect the criminal investigation and gave the SFO unrestricted access to the email accounts of current and former employees. This is also the first case in which a parent company agreed to accept obligations mirroring the requirements imposed on its subsidiary by the DPA, described by Mr Justice Davis as a ‘key component of the DPA’ and ‘an important development in the use of DPAs’.
66Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?
Reporting restrictions can be placed on DPAs while criminal proceedings in relation to connected individuals are under way in the UK. Reporting restrictions were imposed on the Sarclad and Tesco DPAs because of ongoing proceedings against the individuals allegedly responsible for the misconduct. Following the conclusion of those proceedings, the reporting restrictions were lifted.
67Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?
Before entering into a settlement with a law enforcement authority, a company should assess: the merits and strength of the prosecution and defence cases; the likelihood of conviction; the expected time, cost, reputational damage and other adverse effects of a lengthy investigation and trial; and the likely penalties in the event of a conviction, including possible debarment from public procurement tenders.
The company should then carefully assess the terms of the proposed settlement, including the effect that continuing co-operation could have on the business (legal costs, staff resources, etc.); whether the settlement will resolve the matter in all relevant jurisdictions and, if not, the effect the settlement could have in regard to ongoing investigations in other jurisdictions (e.g., whether the authority that has settled will disclose information and assist foreign authorities); and any other adverse effects that the settlement could have on the future of the business.
Ultimately the company should balance the seriousness of the charge and the potential consequences of a conviction (including whether it results in debarment) against the terms of the settlement, as in some circumstances the terms of a settlement, including, for example, the costs of regular review and monitoring by an independent monitor (typically a large accountancy or law firm), could be more disadvantageous to a company than a conviction.
68To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?
The Crime and Courts Act 2013 and the related guidance permit the appointment of monitors in appropriate cases. The Deferred Prosecution Agreements Code of Practice (the DPA Code) – of which the SFO and CPS are required to take account when negotiating, applying to the court for and overseeing DPAs – sets out the roles, duties and mechanics of appointing monitors as a term of a DPA. The DPA Code stops short of requiring or even encouraging the appointment of a monitor as a condition of a DPA.
69Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?
Parallel private civil actions are allowed. Generally, but not always, the criminal proceedings will take precedence and civil proceedings can be stayed for the duration of the criminal investigation, so as not to prejudice any criminal proceedings.
Private plaintiffs will only gain access to specified information in the authority’s files if they obtain a court order. Before making any such order, the court would carefully consider the reason why the private plaintiff requires the information, whether the plaintiff would be able to obtain the information from any other source, the method by which the authority obtained the relevant information, for example if it was obtained under compulsory powers, and whether the information is likely to contain any confidential, privileged or personal information relating to third parties.
Increasingly, small numbers of private criminal prosecutions involving allegations of fraud are being conducted in the courts of England and Wales. The instigation of a private prosecution is provided for in section 6 of the Prosecution of Offences Act 1985 and is subject to a power of the director of public prosecutions to take over the private prosecution at any stage (and, if they choose, to discontinue it).
Publicity and reputational issues
70Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.
It is a contempt of court to publish a report that creates a substantial risk that the course of justice in active criminal proceedings will be seriously impeded or prejudiced. Proceedings are active for this purpose after arrest or charge and until the proceedings have been concluded, for example by acquittal or conviction, or discontinuance by the authority. As a result there is generally very little media reporting of criminal investigations in the UK until the end of a trial other than to state the facts of arrests and report court hearings.
71What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?
It is common practice for companies to hire a public relations (PR) firm to manage a large-scale corporate crisis to mitigate potential reputational damage. It is important to ensure a consistent approach by opening good lines of communication between the company’s internal marketing and the external PR firm, and to ensure that the PR firm is aware of any legal or corporate issues (including any agreements reached with the investigating authority with regard to press releases, etc.).
It is also vitally important that public statements do not have the potential effect of prejudicing ongoing criminal proceedings (for example, the trial of the company or individual employees) or contradict any defence on which the company may later seek to rely. For those reasons, statements issued by a company under investigation should be brief and factual, and should always be approved by the company’s criminal law advisers.
72How is publicity managed when there are ongoing related proceedings?
As stated in question 71, it is vitally important that public statements issued by the company do not have the potential effect of prejudicing ongoing criminal proceedings, such as the related prosecution of employees or third parties. Statements issued by a company in those circumstances should always be brief and factual, and approved by the company’s criminal law advisers until the conclusion of all related proceedings.
Duty to the market
73Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?
Under the UK Listing Rules, publicly listed companies must issue a market announcement without delay regarding any major new development that may affect their business, if the development may lead to a substantial share price movement. A settlement of criminal proceedings would generally require such an announcement.
If the matter is settled by way of a DPA, the matter is not settled until it has actually been approved by a judge at a court hearing. In practice, prior to the final hearing (at which the parties will generally expect approval to be given, as the terms, etc. will have been examined and challenged at preliminary hearings), the company and the authority will have agreed press statements to be released to the market and wider public as soon as approval is given.
74Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?
The UK government is due to report on its call for evidence in expanding the ‘failure to prevent’ offence to include other economic crime (it currently covers bribery and tax evasion).
In April 2018, the European Parliament voted to adopt the Fifth Money Laundering Directive (5MLD). Intended to address weaknesses and update 4MLD, it is to be transposed into UK domestic law by 10 January 2020; however, it is presently unclear whether the UK government will proceed with the legislation in the event of a no-deal Brexit.
5MLD makes significant changes to the anti-money laundering regime in the European Union, including designating virtual currency platforms and custodian wallet providers as obliged entities for the purposes of 4MLD and revising the scope of the customer due diligence provisions. It will also require enhanced due diligence to be carried out in transactions to and from high-risk countries; increase powers and access to information for national financial intelligence units; and require registers of corporates’ beneficial ownership information to be made available to the general public.
In June 2019, the Law Commission published its report on the suspicious activity reporting process, concluding that although the core of the current system should be retained, improvements and efficiencies are required if the reporting regime is to produce useful intelligence rather than simply volumes of low-quality information. Recommendations include:
- the creation of an advisory board of industry experts to oversee the drafting of guidance and advise the secretary of state on appropriate improvements and how best to respond to emerging threats;
- the production of a new standardised online suspicious activity report (SAR) form, to make the reporting process easier to navigate, promoting greater consistency in the information that is provided in an easy-to-read, accessible format that would also allow analytical techniques to be applied to it, and speed up the process; and
- allowing ring-fencing of suspected criminal property by a credit of financial institution in certain circumstances. The practical effect of submitting an SAR is that whole accounts are frozen, not just the allegedly criminal property element, which can cause difficulties for both banks and account holders while a decision on consent to proceed is awaited (and even after that). This recommendation will give some comfort particularly to banks, allowing for a more proportionate response to the reporting of suspected criminal property, enabling transactions on legitimate funds to continue while prohibiting the use of those under suspicion.
The UK government’s response to the recommendations is awaited.