In review: criminal and regulatory enforcement against companies in United Kingdom (England & Wales)

An extract from The International Investigations Review, 11th Edition

Introduction

The law on corporate criminal attribution in England and Wales has historically made it difficult to hold entities to account for the actions of their employees. Driven by developments in certain areas of criminal law,² increasingly aggressive enforcement in sectors such as financial services, and increasing public demands for corporate accountability, the nature and scope of corporate investigations have been steadily growing.

Several bodies have responsibility for various aspects of corporate investigations:

1. the Serious Fraud Office (SFO) investigates and prosecutes the most serious cases of fraud and other economic crimes in the United Kingdom (UK). This includes lead-agency responsibility for enforcing the Bribery Act 2010 (the BA 2010);³
2. the Competition and Markets Authority (CMA) is the main competition regulator and is responsible for enforcing the Competition Act 1998 (the CA 1998) and the Enterprise Act 2002;⁴
3. the Financial Conduct Authority (FCA) is both a prosecuting body and the regulator of financial institutions, with responsibility for maintaining the integrity of the UK financial markets, including the investigation of financial sector crimes, such as market abuse and insider dealing;⁵
4. Her Majesty’s Revenue and Customs (HMRC) investigates tax and revenue-related offences with wide-ranging civil and criminal investigatory powers;⁶
5. the Office of Financial Sanctions Implementation (OFSI) implements the UK sanctions regime;⁷
6. the Crown Prosecution Service (CPS) prosecutes cases investigated by the police forces of England and Wales, as well as on behalf of HMRC and the CMA (which have only investigatory powers and no prosecuting authority);⁸ and
7. the National Crime Agency (NCA), which includes the National Economic Crime Centre (NECC),⁹ coordinates and assists the work of the other agencies and the police in the investigation and prosecution of economic crime.

These bodies have a range of powers to enforce the legislation applicable within their remits. These powers include the ability to execute search warrants and to file compulsory production notices for the production of documents in certain cases. Some of these powers can only be exercised with a court order, some have to be exercised with the assistance of the police and others are wholly in the control of the agencies themselves (determined by the statutory powers by which they are established).

The ability and extent of the bodies’ powers to obtain material has been the subject of a number of important challenges through the courts in recent years, which will be discussed further below. Corporations are not permitted to withhold documents from the authorities on the grounds of client confidentiality and data privacy, and must hand over any materials requested by such notices and orders, except when legal privilege applies.¹⁰ In England and Wales, failure to comply with a lawful production order is a separate criminal offence.

Conduct

i Self-reporting

A corporate’s approach to self-reporting in England and Wales must be considered against a broad spectrum of factors, which include the nature of the issue, the prospect of enforcement activity, the benefits of cooperation with authorities, the industry sector in which the corporate operates and the supervisory regime applicable to the corporate. Although there is no obligation to self-report most criminal conduct, there are notable exceptions for those operating in regulated sectors such as financial services. The decision whether to self-report will need to take into account this wide range of factors, as well as the possibility of enforcement actions in other jurisdictions (which will be subject to their own decision in respect of self-reporting). Such decisions will usually be taken with the assistance of legal counsel.

The FCA’s principles of openness create an expectation that the entities they regulate will self-report issues.¹¹ The regulator has regularly made clear that it regards self-reporting to be a key part of the open and cooperative relationship it expects of its regulated entities.¹² Within its guidance, the FCA mandates a large number of reporting requirements, including reporting in relation to complaints,¹³ accounts¹⁴ and market abuse.¹⁵ The principle of openness has, on several occasions, been the basis for fining firms for failing to adequately self-report. On 31 March 2021, the FCA published a policy statement¹⁶ confirming its decision to extend its requirements to include more entities within the scope of the annual financial crime data reporting obligation (REP-CRIM). The FCA explained that this decision increases the number of firms that must submit a REP-CRIM return from around 2,500 to around 7,000. Firms being brought into scope are required to submit their first REP-CRIM within 60 business days of their first accounting reference date falling after 30 March 2022. The FCA believes that the data it gathers via the return will help it to better identify financial crime risks, trends and emerging issues. The data will also help it to more accurately risk-rate firms and target its specialist resources. One outcome will be fewer visits to firms posing lower risks, which the FCA recognises is an unnecessary burden for those firms and an inefficient use of its resources.

The CMA takes a more discretionary approach to self-reporting, but one based on an explicit framework for the recognition of reporting.¹⁷ The leniency programme is designed to encourage companies that have been involved in wrongdoing to proactively cooperate with the CMA. To encourage self-reporting, the CMA offers a sliding scale of leniency ranging from total immunity to reduced financial penalties, depending on the timing of the self-reporting.¹⁸ As with most self-reporting regimes, the earlier the report is made, the more lenient the authority will be. As noted in the CMA’s guidance,¹⁹ which addresses the impact of the UK’s exit from the EU on 31 January 2020 (Brexit) on its powers and processes and the European Commission’s leniency regimes, the CMA and the EU Member States’ national competition authorities will remain separate and each jurisdiction should be considered individually. A leniency application made by a party to the European Commission, whether before or after Brexit, will not provide the party with any protection from fines with respect to any UK investigation under the CA 1998. Nor will such an application provide a party’s employees or directors with any protection from prosecution for a criminal cartel offence relating to cartel activity in the UK. As was the case prior to Brexit, when considering whether to make a leniency application to the European Commission, parties are encouraged to consider whether it would also be appropriate to make such an application to the CMA and vice versa. Post-Brexit, this will be even more important than before given the possibility of parallel investigations by the European Commission and the CMA or a concurrent regulator.

Although not as structured as the CMA scheme, a similar incentive-based self-reporting approach is taken by the SFO and the CPS. The SFO’s policy on corporate self-reporting states that self-reporting will be a key factor in its deciding whether to prosecute.²⁰ Initially the SFO had indicated that only companies that self-reported would be eligible for a deferred prosecution agreement (DPA),²¹ but both Rolls-Royce and Tesco secured DPAs without self-reporting.²² On 23 October 2020, the SFO published its detailed guidance²³ on the DPA chapter of its Operational Handbook, which introduced ‘suggested’ terms for DPAs that SFO investigators were encouraged to use when negotiating DPAs. These terms emphasised the need for self-reporting of any misconduct that comes to a corporation’s attention during the course of a DPA, as well as requiring SFO approval for any sale or merger of the corporation while a DPA is in effect.

An additional but discrete layer of strict self-reporting is required under the Proceeds of Crime Act 2002 (the POCA 2002). The POCA 2002 legislates for a number of criminal money laundering offences, including being concerned in an arrangement that the person knows or suspects facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person.²⁴ Voluntary self-reporting through an authorised disclosure may be used as a defence to such an offence.²⁵ Although self-reporting is not compulsory for non-regulated persons, it is a criminal offence for a regulated person – who has reasonable grounds for knowing or suspecting that another person is engaged in money laundering – to fail to report such knowledge or suspicion.

ii Internal investigations

Both international and domestic companies are increasingly using internal investigations as a way of mitigating risk, as well as honouring regulatory obligations. A company can no longer consider it a viable option to turn a blind eye to any allegations or suspicions that it receives about its business operations, and an internal investigation is a common first step in dealing with potential issues.

Legal professional privilege is an issue related to internal investigations that has received significant attention in the past few years. In England and Wales, internal legal counsel attract the same legal privilege as external counsel, so instructing external counsel may not offer the advantage that it does in other jurisdictions in this respect. The extent of that privilege has been the subject of judicial decision in Director of the SFO v. Eurasian Natural Resources Corporation Limited,²⁶ in which the Court of Appeal reversed the first-instance decision²⁷ wherein the High Court agreed with the SFO’s view that litigation and legal advice privilege did not apply in the context of documents that were generated during an investigation by forensic accountants and lawyers (see Section IV.iii).

iii Whistle-blowers

The Public Interest Disclosure Act 1998 (the PIDA 1998) sets out market-wide protection for whistle-blowers.²⁸ The PIDA 1998 has a significantly broader definition of ‘worker’ than the Employment Rights Act 1996, which includes employees, employee shareholders and agency workers.²⁹ Should an employer dismiss a worker for the reason (or principal reason) that the employee made a ‘protected disclosure’, this dismissal will automatically be unfair.³⁰ Further, if an employer subjects an employee to any detriment for making a protected disclosure, the employee could also have a distinct claim for detriment up to the date the employee was dismissed. Detriment can include damaged career prospects, dock of pay or loss of work and disciplinary action.

On 8 September 2019, the Council of Ministers adopted the EU Whistleblower Directive (the Directive),³¹ which grants greater protections to individuals who report any breach of EU law. While the Directive is to be treated as a floor for unified protections across the EU, countries can further strengthen their own regimes as they wish. Following Brexit, it seems unlikely that the provisions of the Directive will be implemented in the UK. However, the proposals prior to the implementation of the Directive noted that the UK was one of the Member States that already has a comprehensive regime in place³² and many of the protections underpinning the Directive already exist in legislation such as the PIDA 1998. The Directive is nevertheless likely to be relevant in a number of ways. For example, it exceeds the current whistle-blower requirements under UK law and may become best practice. The UK All Party Parliamentary Group for Whistleblowing published its first report in June 2019,³³ which included recommendations for revising the current law and creating an Independent Office of the Whistleblower, indicating potential momentum for change to the current UK laws. Moreover, the Directive will pertain to all companies with operations in continental Europe. In particular, companies will need to take the Directive into account to maintain a single global whistle-blowing framework.

The financial services sector has developed a more rigorous whistle-blower regime than that created under the PIDA 1998. The current regime applies to around 8,000 companies operating in the financial services sector, but this could increase to an estimated 55,000 companies once the regime is widened.³⁴ From April 2019 to March 2020, the FCA managed and assessed 1,153 whistle-blower reports, which included 2,983 separate allegations.³⁵ Consumer detriment has become an area of increasing focus for the FCA given the significant increase in the number of whistle-blower reports in this area, particularly among more vulnerable consumers during the covid-19 crisis. In March 2021, the FCA launched a campaign, ‘In confidence, with confidence’, to encourage individuals working in financial services to report potential wrongdoing.³⁶

On 14 November 2018, the FCA published its research into the consequences of the new whistle-blowing rules introduced on 7 September 2016. These rules can be found in the Senior Management Arrangements Systems and Controls³⁷ and they require firms to:

have effective arrangements in place for employees to raise concerns, and to ensure these concerns are handled appropriately and confidentially. The requirement to appoint a whistle-blowers’ champion is to ensure there is senior management oversight over the integrity, independence and effectiveness of the firm’s arrangements.³⁸

The Financial Reporting Council (FRC),³⁹ which is responsible for setting UK standards of corporate governance, includes, within the UK Corporate Governance Code 2018, a principle that ‘[t]here should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously.’⁴⁰ This Code, however, operates on a ‘comply or explain’ basis, so listed companies are not obliged to have a whistle-blowing policy in place, even if it is good practice.

Similarly, the Ministry of Justice (MOJ) suggests that having proportionate whistle-blowing procedures⁴¹ may be an important part of asserting an ‘adequate procedures’ defence to the offence of failing to prevent bribery under Section 7 of the BA 2010 and the British Standards Institution outlines whistle-blowing procedures as part of its published standard for Anti-Bribery Management Systems.⁴²

Enforcement

i Corporate liability

In general, a corporate employer is vicariously liable for its employees’ tortious acts if this would be fair and just. Two recent Supreme Court decisions provide some clarification on the question of an employer’s liability for rogue employees’ acts. In WM Morrison Supermarkets plc v. Various Claimants,⁴³ the Supreme Court held that Morrisons was not vicariously liable for the actions of an employee who, without authorisation and in a deliberate attempt to harm his employer, uploaded payroll data to the internet using personal equipment at home. This decision provides welcome confirmation for employers that they will not always be liable for data breaches that rogue employees commit. In Barclays Bank plc v. Various Claimants,⁴⁴ the Supreme Court, overturning a Court of Appeal decision, held that Barclays was not vicariously liable for the acts of a self-employed medical practitioner who was alleged to have committed sexual assaults while carrying out medical assessments of the bank’s prospective employees. However, the decision noted that a person can be held vicariously liable for the acts of someone who is not their employee, provided the relationship between them is sufficiently akin to employment. Therefore, if the employees’ acts are within the ordinary course of their employment, this will usually suffice for the employer to incur vicarious liability.

By contrast, corporate criminal liability is normally only relevant if a criminal offence imposes strict liability and the state of mind of the company (acting through its employee) does not need to be established. In addition, there are a growing number of statutory offences that create corporate liability, such as the offence of ‘failure to prevent bribery’ under Section 7 of the BA 2010, which is discussed further below.

Apart from those offences that create a direct corporate liability, companies will only be liable for offences requiring proof of a criminal state of mind by application of the ‘identification principle’. The identification principle imputes, to the company, the acts and state of mind of the individuals who represent the ‘directing mind and will’ of the company. This is much more narrow than the basis of attribution in the US, for instance, where a company can be liable for the actions of its agents and employees when they act within the scope of their employment and, at least in part, to benefit the company (which is more akin to the basis for civil liability in England and Wales).

The BA 2010 introduced a new approach to establishing corporate criminal liability in the UK. It legislates for bribery offences committed in the UK and abroad by individuals and companies. Section 7 of the BA 2010 creates the offence of failure to prevent bribery, which can be committed by a corporate entity only. It first requires that a person associated with the company has committed an offence under Sections 1 or 6 of the BA 2010 or would have done if they were within the territorial scope of the BA 2010. A person is ‘associated with’ the company if they perform services for or on behalf of the organisation in any capacity. This is, therefore, not confined to employees but also covers agents such as independent contractors.

Secondly, Section 7 of the BA 2010 requires that the person who committed the offence to have intended either to obtain or retain business or an advantage in the conduct of business for the company. Knowledge on behalf of the company is not required. Section 7 of the BA 2010 has a broad territorial scope and applies not only to UK-incorporated companies, but also to those that carry on a business or part of a business in the UK.

If the company had in place adequate procedures to prevent acts of bribery by persons associated with it (this is discussed in more detail below), the BA 2010 considers this a complete defence to the corporate offence of failure to prevent bribery.

ii Penalties

Corporations considered liable for corporate misconduct can suffer penalties ranging from a minor fine to a substantial financial penalty and severe criminal consequences from a selection of prosecuting bodies.

The Financial Services and Markets Act 2000 (the FSMA 2000) grants the FCA the power to impose a variety of sanctions ranging from public censure to revocation of FCA authorisations and large regulatory fines.⁴⁵ In 2020, a number of notable fines were associated with breaches of the FCA’s Principles for Business.⁴⁶ Lloyds Bank plc, Bank of Scotland plc and The Mortgage Business plc, for example, were fined £64,046,800 for the unfair treatment of customers in the mortgages sector.⁴⁷ The FSMA 2000 also grants the FCA the power to bring criminal prosecutions for the purpose of tackling financial crime such as investigations for insider dealing pursuant to the Criminal Justice Act 1993, and breaches of the recently enacted Sanctions and Anti-Money Laundering Act 2018. The FCA’s Decision Procedure and Penalties Manual sets out a non-exhaustive list of the factors that the FCA considers before issuing a penalty, which includes looking at the nature, seriousness and impact of the suspected breach, the conduct after the breach and previous disciplinary record and the compliance history of the person in question. The FCA will also consider ‘the full circumstances of each case’ when determining whether to impose a penalty.⁴⁸

The CMA also has a range of criminal and civil legislative powers it can exercise with regard to competition law infringements. The CMA can impose fines for breach of the CA 1998 if the CMA is satisfied an infringement has either been intentionally or negligently committed.⁴⁹ The most notable fine that the CMA can impose is an amount of up to 10 per cent of a firm’s worldwide turnover in the business year that precedes the date of the CMA’s decision.⁵⁰

The CMA can also impose settlement and the making of commitments.⁵¹ Settlement allows early resolution of investigations by way of a voluntary process if a business under investigation by the CMA for a breach of competition law admits a breach and accepts a streamlined version of the process that will govern the remainder of the CMA investigation. In return for its cooperation and an admission of wrongdoing, the business will gain a reduction in any financial penalty that the CMA imposes.

The SFO has the power to prosecute in cases involving serious or complex fraud, bribery and corruption. Alternatively, the SFO may consider inviting a company to enter into a DPA, which is supervised by a judge and governed by the DPA Code published by the SFO and the CPS, which states that the SFO’s role is as a prosecutorial authority and that DPAs are for use only in exceptional circumstances.⁵² Successful completion of a DPA means a company can avoid a criminal conviction.

Individuals prosecuted and convicted by these agencies can be sentenced to pay fines, compensation and court costs and may receive prison sentences if the offences are serious enough. In addition, individuals may be disqualified from holding directorships in the UK.

iii Compliance programmes

Both the CMA and the FCA publish a variety of documents to assist companies in meeting their compliance obligations, including annual plans and a great deal of guidance in the run up to and following Brexit.

As described above, the BA 2010 provides a defence to the Section 7 offence, if a commercial organisation can show on the balance of probabilities that it had in place adequate procedures designed to prevent bribery. The MOJ has provided guidance on what may be considered to constitute adequate procedures for the purposes of the defence, although, ultimately, what constitutes adequate procedures will be determined by the courts.⁵³

The BA 2010 adequate procedures defence was tested for the first time in the case of R v. Skansen Interiors Limited.⁵⁴ The case concerned two bribes that had been paid to an employee managing the tender for an office refurbishment by Skansen Interiors Limited (SIL), a small refurbishment company. When a new chief executive officer took over at SIL and learned about the payments that had been made, he initiated an internal investigation and established an anti-bribery and corruption policy. SIL then submitted a suspicious activity report to the NCA.

The question for the jury was whether SIL had adequate procedures in place. SIL argued, inter alia, that: its policies and procedures were proportionate to its size – it was a very small business operating out of a single open-plan office; its business was very localised, removing the need for more sophisticated controls; it was ‘common sense’ that employees should not pay bribes; the ethos of the company was one of honesty and integrity; and a company of its size did not need a more formal policy. The jury did not agree and returned a guilty verdict.

iv Prosecution of individuals

The CPS and the SFO also look to prosecute individuals for financial crime when a business is prosecuted within England and Wales. The Guidance on Corporate Prosecutions states that the prosecution of a company should not be seen as a substitute for the prosecution of criminally culpable individuals such as directors, officers, employees or shareholders of the offending company.⁵⁵ The prosecution of individuals in circumstances involving corporate misconduct is viewed as essential in providing a strong deterrent against future corporate wrongdoing.⁵⁶

When proceedings or enforcement actions are launched against individuals, the company involved must be conscious of its obligations towards its employees. Often, corporates will suspend the individuals suspected of wrongdoing for the duration of any investigations; however, any suspension must be deemed to be fair and reasonable. Individual employees may be entitled to support from their employer company by means of assistance with legal fees in the event of any investigations, although currently there is no statutory requirement for this. Alternatively, some employees may be entitled to some form of officer liability insurance, which can provide cover for the duration of an investigation or trial. Given the scale and cost of government investigations to date, this has become the norm in larger companies.

Recently there has been attention on the SFO’s mixed success in prosecuting individuals connected to companies that are the subject of criminal proceedings. For example, in December 2019, the SFO charged two former directors of Serco Geografix Limited, which had entered into a DPA with the SFO in July 2019.⁵⁷ On 26 April 2021, the case collapsed after facts emerged indicating that the SFO erred when disclosing documents, which jeopardised the trial.⁵⁸ This means that the SFO has so far failed to prosecute any individuals associated with the DPAs it has entered into since they were introduced in 2014. However, the SFO recently succeeded in convicting Basil Al Jarah in connection with the Unaoil bribery case, in October 2020, Julio Faerman in connection with Brazil’s Operation Car Wash scandal, in November 2020, and former SBM Offshore sales manager Paul Bond, in February 2021. The SFO continues to prosecute individuals connected with bribery cases, including three former G4S executives charged with fraud in September 2020.

International

i Extraterritorial jurisdiction

Any departure from the general presumption against the creation of extra-territorial liability must be expressly provided by the legislature;⁵⁹ below is an overview of key examples of pieces of UK legislation containing corporate offence provisions with extra-territorial reach.

The BA 2010 has a wide territorial remit, covering offences that take place in the UK or overseas as long as the company is either UK incorporated or carries on at least a part of its business in the UK.⁶⁰

Among other laws, the POCA 2002 contains the UK’s money laundering offences. Broadly speaking, the money laundering provisions aim to tackle the channels through which proceeds of criminal activity pass. In terms of jurisdictional reach, the location of the underlying criminal conduct is irrelevant; if the conduct would amount to a criminal offence in the UK, had it occurred there, then it will fall within the ambit of the POCA 2002, subject to very limited exceptions.⁶¹ In addition, UK nationals, living overseas, can also be prosecuted for money laundering offences committed outside the UK. The Home Office published a consultation (which ran from 28 January 2021 to 19 March 2021) to obtain feedback on potential changes to the bodies to which the POCA 2002 grants certain financial investigatory powers, including those extending to money laundering investigations. At the time of writing, the outcome of the public feedback is yet to be released.

The offence of failure to prevent the facilitation of tax evasion was introduced by the Criminal Finances Act 2017 (the CFA 2017) and applies to both domestic and overseas tax evasion. Under the CFA 2017, companies are liable for the conduct of their associated persons who facilitate the evasion of either UK or overseas tax. For the UK tax evasion offence, the conduct can occur anywhere in the world; for the foreign tax evasion offence, the relevant body must either be incorporated in the UK, carry on business in the UK or the relevant conduct must have taken place in the UK. ‘Relevant bodies’ will be liable for failing to prevent the actions of their employees and other associated persons who criminally facilitate tax evasion.⁶² A ‘relevant body’ is a company or partnership, irrespective of jurisdiction of incorporation or formation.⁶³ A ‘person associated’ with the relevant body is an employee, an agent or any other person performing services for or on behalf of that relevant body.⁶⁴ To the extent the offence took place outside the jurisdiction, UK prosecutors need to prove, to the criminal standard, that both the taxpayer and the associated person committed an offence. Like the corporate offence under the BA 2010, the CFA 2017 provides companies with a defence where they can show that they had in place ‘reasonable procedures’ to prevent the offending.

With the increase in online criminal activity, the Crime (Overseas Production Orders) Act 2019 (the COPO Act) will provide a useful basis for investigators and prosecutors that require quick access to electronic data (such as emails) situated outside the UK. However, the extra-territorial power will only be effective if there is a cooperation agreement in place between the UK and the jurisdiction where the holder of the data is located. At the time of writing, there is only one cooperation agreement in place, between the UK, Northern Ireland and the US.⁶⁵ Reliance on the COPO Act is likely to increase in light of the recent case of R (on the application of KBR, Inc) v. Director of the Serious Fraud Office,⁶⁶ in which the Supreme Court held that the SFO did not possess the power to compel a US company to produce documents it held outside the UK. The Supreme Court ruled that Section 2(3) of the Criminal Justice Act 1987 does not have extraterritorial effect, overturning the earlier judgment in which the High Court allowed extraterritorial application of Section 2(3) if a sufficient connection existed between the UK and the jurisdiction receiving the notice. This ruling’s practical impact is that the SFO must continue to rely upon other routes to obtain documents a foreign company holds overseas, such as by using overseas production orders under the COPO Act and the mutual legal assistance regimes.

ii International cooperation

The UK authorities work with their counterpart authorities in other jurisdictions in a variety of ways. Some ‘formal’ methods of cooperation exist,⁶⁷ but it is not uncommon for international enforcement authorities to share information with their foreign counterparts through more informal channels of communication, relying on established relationships.⁶⁸

Following Brexit, there is a degree of uncertainty regarding the future framework for international cooperation between the UK and Europe. After the UK’s transition period ended, the European Union, the European Atomic Energy Community, and the United Kingdom of Great Britain and Northern Ireland entered into the Trade and Cooperation Agreement (the Trade Agreement). Title VII of the Trade Agreement outlines provisions that facilitate international cooperation between the UK and EU Member States regarding law enforcement. It introduces the concept of surrender, which deals with the issue of extradition and aims to replace the European Arrest Warrant system as a fast-tracked extradition system between EU Member States and the UK with limited grounds for refusal and time-limited processes. The new arrest warrant, which appears in Annex Law-5 of the Trade Agreement, mirrors the European Arrest Warrant’s content and form.

iii Local law considerationsData privacy

After the UK’s transition period ended, the EU’s General Data Protection Regulation (the EU GDPR) ceased to directly apply to the UK.⁶⁹ The EU GDPR had extra-territorial application to organisations that monitor behaviour of individuals that takes place within the EU, or to organisations offering services or goods to individuals in the EU. The government of the UK has issued its own version of the GDPR, namely the United Kingdom General Data Protection Regulation (the UK GDPR), which took effect on 31 January 2020, and does not contain any significant differences from the EU GDPR, as evidenced by the Keeling Schedule, last updated on 18 December 2020.⁷⁰

The UK GDPR imposes strict data protection obligations and prohibits the transfer of personal data from the UK to a location outside the European Economic Area (EEA), unless the recipient, jurisdiction or territory is able to ensure a UK-equivalent level of protection. Currently, the European Commission has determined that only a few countries provide adequate levels of protection, while many other countries, such as the US, fall short of the standard.⁷¹ This means organisations operating in the UK may be limited in their ability to transfer personal data into various non-EEA territories. By virtue of the Trade Agreement, transfers of personal data from the EEA to the UK could continue unrestricted until 1 May 2021, with an automatic extension to 1 July 2021 unless either side objects. On 19 February 2021, the European Commission released its draft adequacy decision in which it concluded that the UK provides adequate protection for personal data transferred from the EEA and within the EU GDPR’s scope, meaning that personal data can continue to flow from the EEA to the UK without requiring further safeguards.

Legal professional privilege

Legal professional privilege has been a heavily litigated issue in recent years. England and Wales recognises two forms of legal professional privilege, in respect of both in-house and external counsel:

1. ‘litigation privilege’, which attaches to communications passing between a lawyer and a client, and also between a lawyer or client and a third party (such as a forensic accountant), for the sole or dominant purpose of preparing for adversarial litigation.⁷² The litigation can either be in progress or in contemplation, and includes civil and criminal litigation;⁷³ and
2. ‘legal advice privilege’, which attaches to confidential communications passing between lawyer and a client for the purposes of giving or receiving legal advice. It will not usually apply to communications between a company and its own employees in the context of an investigation.

The meaning of ‘client’ was discussed in detail in Three Rivers No. 5,⁷⁴ yet the ratio of the case has been inconsistently understood and, although it has been recently criticised,⁷⁵ Three Rivers No. 5 remains the leading authority in this respect. The concept of ‘client’ in a corporate context was considered again in The RBS Rights Issue Litigation, in which Hildyard J held that interview notes produced by lawyers during the course of an internal investigation were not protected by legal advice privilege.⁷⁶ Hildyard J understood the Three Rivers No. 5 decision as establishing the principle that the ‘client’, for the purposes of a lawyer–client communication protected as legal advice privilege, must be someone who is authorised to seek and receive legal advice.⁷⁷

This approach was followed by Andrews J in the first-instance decision in ENRC.⁷⁸ On appeal, the court held that whether Three Rivers No. 5 was correctly decided regarding the nature of a ‘client’ was a matter for determination by the Supreme Court.⁷⁹ The court did indicate, however, that there was ‘much force’ in the submissions that if Three Rivers No. 5 did lay down a restrictive interpretation of ‘client’, then it was wrongly decided.⁸⁰ The court said that ‘if, therefore, it had been open to us to depart from Three Rivers (No. 5), we would have been in favour of doing so’.⁸¹ Hickinbottom LJ also had sympathy for this position in a recent Court of Appeal judgment and, while he felt ‘disinclined’ to follow Three Rivers No.5, he stated that he was ultimately bound to do so.⁸²

Year in review

In January 2021, Transparency International released its 26th annual Corruption Perception Index,⁸³ in which the UK remained out of the top 10 for public sector transparency for the third year in a row. A further concern that Transparency International indicated is the risk that corruption in new markets could severely disadvantage UK companies post-Brexit. The chief executive of Transparency International UK commented that: ‘This year, we should be very concerned about corruption in dozens of countries Britain may now seek to do more business in. The government has already talked up the possibility of free trade deals with states across Asia-Pacific with variously poor scores on corruption. With the UK now an independent trading nation, it is vital that companies be afforded every opportunity to export with integrity. Enshrining robust anti-corruption measures in all future trade deals is an essential starting point.’⁸⁴

Following Brexit, the UK remains a member of the Financial Action Task Force in which it aims to remain aligned with its EU allies on anti-money laundering and counter-terrorism financing strategies. While the EU’s money laundering directives no longer bind the UK, the UK has already implemented the Fifth Money Laundering Directive into law. However, the UK has chosen not to adopt the EU’s Sixth Money Laundering Directive, which came into effect on 3 December 2020, with the government stating in its Eighth Annual Report to Parliament in 2018 that ‘the UK’s domestic legislation is already largely compliant with the Directive’s measures, and in relation to the offences and sentences set out in the Directive, the UK already goes much further’.⁸⁵

Moreover, the UK–EU Trade and Cooperation Agreement, which the UK implemented with the EU (Future Relationship) Act 2020 (the Future Relationship Act), contains provisions on cooperation in criminal matters, including for mutual legal assistance and the freezing and confiscation of criminal property. How this new regime will operate is still uncertain, but the Future Relationship Act is unlikely to be as timely or effective for law enforcement authorities as the EU-wide mechanisms pre-Brexit. Informal cooperation is likely to continue, but for now the investigation of serious crime involving EU Member States may take longer.

Covid-19’s impact on the SFO brought a slowdown in the pace of investigations.⁸⁶ The pandemic hindered access to physical evidence, causing procedural delays. The Global Investigations Review reported that the SFO severely suspended suspect interviews and search execution in the pandemic’s wake. In response to this backlog, the SFO revealed it was taking steps to cut down the length of its probes (including the length of trials) in October 2020. While the SFO is yet to announce any investigations into covid-19-related crimes, evidence suggests that these will be forthcoming in the future. Lisa Osofsky, the director of the SFO, stated that the pandemic has created new opportunities for criminals and that ‘law enforcement are working across government to assess and respond to the new threat’.⁸⁷

Despite its suspension of various procedures, the SFO continued to emphasise following through with DPAs, concluding three during 2020, with Airbus SE,⁸⁸ G4S Care and Justice Services (UK) Ltd⁸⁹ and Airline Services Limited.⁹⁰ The SFO also published detailed guidance on its approach to negotiating and entering into DPAs in an attempt to increase transparency. Also of note, the SFO reached its 2020 DPA with Airbus SE as part of a coordinated settlement with French and US authorities, and it is the first time the SFO has applied a DPA to a non-UK company on the basis that it was ‘carrying on a business’ in the UK. This means that a non-UK parent company’s management of UK-incorporated subsidiaries may subject the parent to the BA 2010, even for conduct unrelated to the UK.

The SFO’s internal processes and controls are likely to come under the spotlight in 2021 following last year’s revelation that Lisa Osofsky had exchanged emails and texts with David Tinsley, a retired US Drug Enforcement Administration agent, who was acting for three members of the Ahsani family, which founded and ran the Monaco-based consultancy Unaoil. The allegations against Lisa Osofsky related to the agency’s investigation into Unaoil and have resulted in the SFO conducting a review into the director’s behaviour.⁹¹

The SFO, among others, is keen for there to be more ‘failure to prevent’ corporate criminal offences, similar to the UK’s offences of failure to prevent bribery and failure to prevent the facilitation of tax evasion (as discussed in Sections III.i and IV.i). In November 2020, the government announced that the Law Commission would investigate the UK’s corporate criminal liability legislation, following the MOJ’s 2017 call for evidence. The Law Commission is due to publish an options paper in late 2021, analysing current laws’ pitfalls and setting out options for reform to see corporate entities appropriately accountable.⁹²

In October 2020, the NCA secured its first victory using an unexplained wealth order (UWO)⁹³ solely based on an individual’s alleged involvement in serious organised crime, on almost £10 million in assets against businessman Mansoor Mahmood Hussain.⁹⁴ The case also marks the first time the NCA has successfully recovered property following an UWO, as the NCA ordered Hussain to hand over a large proportion of his empire, including 45 properties.

The FCA also commenced its first criminal prosecution for offences under the Money Laundering Regulations 2007 (MLR). The FCA launched proceedings on 16 March 2021 against NatWest on the basis that the bank failed to adhere to the requirements of Regulations 8(1), 8(3) and 14(1) of the MLR by not adequately exercising controls over £264 million in cash allegedly paid into customers’ accounts. The FCA’s powers provided under the MLR permit it to issue unlimited fines and revoke trading licences.⁹⁵

On 7 January 2021, HMRC imposed a record £28.3 million fine on money-transfer company MT Global Limited for significant breaches of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 over two and a half years. The breaches related to risk assessments, associated record-keeping, policies, controls and procedures, and ‘fundamental due diligence measures’. In 2019–2020, HMRC completed 2000 interventions into supervised businesses and issued penalties surpassing £9 million. It also recouped £166 million from the proceeds of crime, of which more than £22 million related to money laundering offences.⁹⁶

Conclusions and outlook

The impact of Brexit and the covid-19 pandemic on the strategies and effectiveness of law enforcement in England and Wales is yet to be fully understood, but there is no doubt that both have created considerable uncertainty and operational difficulties. With a new administration in the United States likely to return to a more aggressive enforcement strategy, bringing with it an increase in cross-jurisdictional investigations, the post-Brexit and post-covid-19 outlook may well see greater law enforcement activity. In addition, the Law Commission’s options paper, due to be provided to the government towards the end of 2021, may propose the further expansion of corporate criminal liability.

The need for robust corporate investigations has continued to develop as companies face an increased focus on their culture and systems from a wide range of sources, including media and non-governmental agency inquiries, as well as the growing effect of social media campaigning.