UK Economic Crime Group: Enforcement Update
Serious Fraud Office
A significant development in UK White Collar Crime came only weeks ago with the Serious Fraud Office's (SFO) announcement of the conclusion of a Deferred Prosecution Agreement (DPA) with Rolls-Royce. This followed a lengthy investigation into allegations that the company was engaged in widespread bribery and corruption. This is only the third DPA the SFO has finalised to date (after Standard Bank in 2015, and XYZ in 2016) following the introduction of the mechanism in the Crime and Courts Act 2013. The Rolls-Royce DPA is the largest to date, both in terms of scope of conduct and financial penalty (approximately £500 million). In concert with the DPA, Rolls-Royce also agreed to pay fines to the United States Department of Justice (DoJ) and Brazilian authorities (approximately £170 million) in order to settle investigations being carried out by those authorities.
A month earlier, in December 2016, the SFO closed its long-running investigation into allegations of corruption at Soma Oil & Gas Group, without bringing charges. The SFO stated that the decision was taken due to a lack of sufficient evidence to secure a conviction. The decision came two months after Soma failed to bring an end to the SFO's investigation by way of a Judicial Review challenge in the High Court.
Legislative and Regulatory
In a little over a year, the General Data Protection Regulation (GDPR) will take effect in the United Kingdom. The GDPR will introduce sweeping changes to the UK's data protection regime that will significantly increase the responsibilities incumbent upon those organisations caught by the legislation, as well as increasing their exposure to risk. Indeed, fines for certain breaches of the GDPR will potentially be as large as €20 million, or four percent of global turnover, whichever is the higher. As such, and given that this legislation will take effect regardless of 'Brexit', and is likely to remain in force afterward, we would recommend that corporates ensure that they are compliant with the strictures of the GDPR (some of which are discussed in detail below) well in advance of its entry into force in May 2018.
In October 2016, the International Organisation for Standardisation (ISO) published a new standard for anti-bribery management systems. This new standard has been designed to be implemented by organisations big and small operating in any sector. It provides a comprehensive framework of anti-bribery measures including in relation to: third parties, risk assessments, due diligence, controls, monitoring, whistle-blowing, training, gifts, and hospitality. The creation of such a standard is an invaluable resource for companies without an anti-bribery policy, as well as a useful resource for companies when reviewing their existing measures.
According to reports released in December 2016, 44 referrals of corruption in relation to defence contracts have been made by the UK Ministry of Defence since 2011. Whilst the report does not refer to any companies by name, combined with the Rolls-Royce DPA referred to above, it suggests that the defence industry continues to experience difficulties in relation to bribery and corruption.
On 21 December 2016, the Swiss Competition Authorities secured fines of almost €100 million against seven banks in relation to misconduct around the setting of benchmark interest rates.
A few days later, on 23 December 2016, the DoJ announced it had agreed on fines of $7.2 billion USD and $5.3 billion with Deutsche Bank and Credit Suisse, respectively, in relation to both banks' dealings in mortgage-backed securities. Following the announcements, DoJ announced it would bring an action against Barclays in relation to similar wrongdoing.
NEWS FROM THE SFO
SFO Agrees to a DPA with Rolls-Royce
On 16 January 2017, it was announced by Rolls-Royce, and confirmed by the SFO, that a DPA, subject to approval by the Court, had been reached between them. The following day, approval was given publicly by Sir Brian Leveson, President of the Queen's Bench Division. He had given approval to the two previous DPAs, although this was by far the largest application for approval.
The DPA with Rolls-Royce covers the conduct of the two entities, Rolls-Royce plc and a subsidiary, Rolls-Royce Energy Systems (both now owned by Rolls-Royce Holdings plc). The DPA covers the conduct of the two entities in Nigeria, Indonesia, and Russia, and of Rolls-Royce plc alone in Thailand, India, China, and Malaysia. The conduct concerned its civil aerospace business, defence aerospace business, and its former energy business. It involved agreements to make corrupt payments to agents in Indonesia and China (1989–2006), and also Russia (2008–2009); concealment or obfuscation of use of intermediaries in India (2005–2009); failing to prevent bribery by employees or intermediaries in Nigeria and Indonesia (2013); and the failure to prevent the provision by Rolls-Royce employees of inducements in China and Malaysia (2013). It also involved an agreement to make a corrupt payment in 2006/7 to recover a list of intermediaries that had been taken by a tax inspector from Rolls-Royce in India.
The DPA will result in a payment by Rolls-Royce of £497,252,645 (£258,170,000 as disgorgement of profits and £239,082,645 as a financial penalty). This will be paid in four installments, with the last in 2021. Rolls-Royce will also pay the SFO's full costs of £13 million.
Rolls-Royce had previously retained Lord Gold in January 2013 to conduct an independent review of the approach of Rolls-Royce to anti-bribery and corruption compliance, and had already provided two interim reports. The DPA requires the SFO to be provided with the third interim report, and for Rolls-Royce to produce a written plan to implement the recommendations in it, and any outstanding recommendations from the previous interim reports. Thereafter, Rolls-Royce will need to complete the actions contained in the plan.
The SFO investigation had followed Internet postings in early 2012 about the operation of Rolls-Royce's civil business in China and Indonesia that had come to the attention of the SFO. An investigation had immediately been commenced by Rolls-Royce that led to a report on the findings into those issues and also other issues.
Although the SFO investigation had not been triggered by a self-report, the nature and extent of the co-operation provided by Rolls-Royce thereafter had been such that the Court was asked not to distinguish between its assistance and those who have self-reported from the outset. The co-operation included Rolls-Royce voluntarily supplying to the SFO reports in respect of its internal investigations (including the interviews, having waived any claim for legal professional privilege on a limited basis) revealing more than was in the public domain. Sir Brian Leveson was of the view that the extent of the assistance provided by Rolls-Royce was highly material both to the interests of justice and the assessment of the balance between prosecution and DPA, and also to the appropriate discount to allow from the financial penalty imposed. He also took into account the impact of a prosecution of Rolls-Royce, and that Rolls-Royce was no longer the company that it once was. It now has a new Board and executive team who have embraced the need to make essential change, including new policies, practices, and culture.
To ensure a coordinated global resolution of the matter, Rolls-Royce has also reached a DPA with DoJ (payments totalling $169,917,710) and a Leniency Agreement with Brazil's Ministério Público Federal (payments totalling $25,579,179).
SFO Closes Investigation into Soma Oil and Gas
On 14 December 2016, the SFO announced that it would cease its investigation of the Soma Oil & Gas Group. The investigation, which began in July 2015, related to allegations of corruption in Somalia. The SFO stated that whilst there were reasonable grounds to open the investigation, "a detailed review of the available evidence led…to the conclusion that the alleged conduct, even if proven and taken at its highest, would not meet the evidential test required to mount a prosecution".
The closing of the investigation comes two months after the High Court refused Soma's Judicial Review application against the SFO's continuation of the investigation on the grounds of irrationality, disproportionality under A8 ECHR, and failure to make adequate disclosure. Soma contended that were the investigation not to be concluded in short order, it would face losses running to billions of US dollars. Whilst the judgment praised Soma's extensive cooperation with the SFO (which included the waiving of privilege), it stated that Soma failed to meet the high threshold required to prove that the SFO had acted irrationally, or disproportionately, and that ordering the SFO to give additional disclosure may prejudice its ongoing investigation. The High Court held that only in an "exceptional" case would such an application have succeeded.
It is also noteworthy that prior to the Judicial Review proceedings, the SFO took the exceptional step of issuing Soma with a comfort letter which set out, as far as possible, additional information on the nature and timings of the continuing investigation that Soma would be permitted to disclose to its investors, allowing it to avoid the substantial losses it feared. Given Soma's extensive cooperation with the investigation, and the very particular facts of the case, the issuing of such a letter is not likely to be indicative of future SFO practice.
Tesco Charging Decisions
In October 2014, the SFO began an investigation into the accounting practices of Tesco Plc. On 9 September 2016, the SFO announced that it would charge former Tesco Directors Carl Rogberg, Christopher Bush, and John Scouler with Fraud by Abuse of Position and False Accounting.
In contrast, on 28 November 2016, the SFO stated that they would not be charging Tesco's former Chief Executive Phillip Clarke, "on the grounds that there is insufficient evidence to provide a realistic prospect of conviction".
The SFO's investigation into Tesco Plc is ongoing.
Director of the SFO, David Green QC, Speaking at the American Conference Institute's 33 International Conference on the FCPA—Washington, 1 December 2016
On 2 December 2016, Global Investigations Review reported that in a speech to the American Conference Institute's International FCPA Conference on 1 December 2016, David Green QC stated that when sanctioning DPA, UK courts were prepared to approve discounts "well in excess of one third" if the subject of the agreement is genuinely open and cooperative with the SFO's investigation. The article reported that Green hinted that more DPAs would be concluded shortly, and that these would deal with scenarios not seen in either the Standard Bank or XYZ cases.
NEWS FROM THE FINANCIAL CONDUCT AUTHORITY
Between 7 and 11 November 2016, the Financial Conduct Authority (FCA) hosted its "Financial Crime Conference" in London. The event saw interested individuals and entities, such as MLROs and Compliance Officers, convene to discuss the ongoing fight against financial crime.
Chief Executive Andrew Bailey delivered the opening speech of the conference, stating his disappointment that the financial services industry found itself in the midst of a "misconduct crisis". In his speech, Mr Bailey committed the FCA to continuing the fight against financial crime, whilst warning that he could never "promise to beat it entirely". The speech highlighted three key challenges faced by those seeking to combat financial crime: technological innovation in financial services; a reliance on rule-making; and the difficulty multinational entities face in ensuring uniform, worldwide compliance with internal global policies related to financial conduct. As part of effectively meeting these challenges, Mr Bailey states that a shift in social attitudes to financial conduct regulations, whereby "everyone knows the rules of the game, and then everyone sticks to them", is essential, as is the more meaningful and effective use of technology.
Whilst directly applicable to entities regulated by the FCA, these messages have relevance to many corporates. The use of technology must be carefully monitored in any organisation to ensure it does not represent the easiest avenue of attack for criminals. However, if used innovatively, technology can be a powerful tool in ensuring a workforce is properly trained in, and compliant with, a firm's policies and procedures. Naturally, such training is meaningless if it does not impart an understanding of the meaning and purpose behind rules and regulations—firms must teach their employees to look at the substance of conduct, in addition to such strictures. To ensure global compliance with policies and procedures, organisations should train local managers more directly, and in a manner that respects and understands the cultures in which they operate, to ensure any territory-specific risks are adequately addressed.
LEGISLATIVE AND REGULATORY NEWS
Unexplained Wealth Orders
As part of the sweeping changes proposed as part of the Criminal Finances Bill 2016 (CFB 2016), the government plans to amend the Proceeds of Crime Act 2002 (POCA) to give law enforcement, regulatory, and prosecutorial bodies (including the SFO, NCA, CPS, HMRC, and FCA) the ability to apply to the High Court for "Unexplained Wealth Orders" (UWOs). If obtained, these would require an individual to explain their interest in, and ownership of, property valued at greater than £100,000, where that individual's known income alone would not provide sufficient explanation for their ownership of that property. The High Court would make a UWO where the subject of the application was either a Politically Exposed Person (PEP); or where there are reasonable grounds for believing the subject of the application is or was involved in serious criminality; or where a person connected to the subject of the application is or has been involved in serious criminality.
When viewed in conjunction with modifications to the Suspicious Activity Reporting (SAR) regime proposed by the CFB, UWOs appear to be a highly valuable tool. When a SAR notification requesting consent to continue with a transaction is made under the current regime, the "moratorium period" during which no action to be taken stands at 31 days. The CFB proposes to extend the moratorium period by 186 days. This provides law enforcement agencies a considerably larger window of opportunity in which to obtain further information, or take meaningful action.
The CFB proposes that knowingly or recklessly providing a false or misleading response to a UWO would constitute a criminal offence, the penalties for which would be imprisonment for a maximum of two years or a fine on conviction on indictment, or imprisonment for a maximum of 12 months or a fine on summary conviction.
Regulation 2016/679: The General Data Protection Regulation
In May 2018, the General Data Protection Regulation (GDPR) will introduce sweeping changes to the UK's data protection regime, as currently governed by the Data Protection Act 1998 (DPA 1998). Although the GDPR is a piece of European Union legislation, the UK government has confirmed that 'Brexit' will not affect the entry into force of it, notwithstanding that there will be questions as to its applicability and operation when Britain does leave the European Union. Despite this, and the fact that entry into force of this new legislation is still more than a year away, we would recommend that those organisations caught by it develop and implement new policies and procedures as early as possible, so as to avoid any of the new or enhanced sanctions that may follow breaches of the GDPR. We have included below some of the key features of the GDPR that should be borne in mind when preparing to comply.
The GDPR will introduce some fundamental changes to the current data protection regime. Most importantly, perhaps, is the new definition of "Personal Data" introduced by the GDPR. Personal Data will now include "online identifiers", such as IP addresses, by default (previously, these were merely capable of being personal data, in certain circumstances). The GDPR also introduces new and enhanced proportionality requirements, governing how personal data is retained and processed. Unlike the DPA 1998, the GDPR will require that Data Subjects actively and unambiguously consent to the collection of personal data. Silence will no longer suffice. If the personal data to be collected is "sensitive", as provided for in the GDPR, consent must be "explicit". The GDPR will also introduce a "Right to be Forgotten", under which, subject to certain conditions, data subjects may request that Data Controllers remove their personal information. The GDPR will also have a wider geographical application than the DPA 1998. Under the GDPR, any organisation based outside the EU, but offering goods or services to, or monitoring the behaviour of, EU "Data Subjects" will be caught by its requirements.
The GDPR introduces several new, potentially burdensome, compliance requirements. In addition to a requirement to keep documentation relating to data processed, the GDPR will require that some organisations produce "Privacy Impact Assessments", prior to conducting certain data processing exercises. These documents will essentially act as risk assessments that will explain the risks involved in the data processing exercises, and whether such exercises are justified and proportionate. Data Controllers will also be required to produce "Information Notices" on, or shortly after collection of personal data, and to inform Data Subjects why, how, and for what purpose their data is being collected (and whether it will be transmitted internationally). Certain organisations will also be required to appoint a "Data Protection Officer" with specialist knowledge and expertise who will assist the company in complying with its duties under the GDPR. Among these organisations are the following: (1) public authorities; organisations conducting "regular", "systematic" large-scale monitoring of Data Subjects; or (2) organisations processing large quantities of certain specified categories of data.
The GDPR significantly increases organisations' data protection compliance obligations and potential liabilities, when compared with the regime under the DPA 1998. Part of these reforms will include the provision of new and enhanced powers to the national body in each EU Member State responsible for data protection (the Supervisory Authority), including in relation to the issuing of fines, entering premises, and the carrying out of investigations. Supervisory Authorities will have oversight over all "Data Breaches" occurring in its Member State. Under the GDPR, organisations will have significantly enhanced obligations in respect of reporting and responding to "Data Breaches". Where such a breach occurs, organisations must notify Data Controllers as soon as possible, who in turn must notify the Supervisory Authority. Subject to relatively limited exceptions, Data Controllers are also obligated to inform those whose personal data has been breached, of the fact that such a breach has occurred.
The GDPR grants Data Subjects the right to make complaints to Supervisory Authorities and national courts for breaches of the GDPR. There are potentially very substantial sanctions for breaching the GDPR. Breaches of the GDPR attract either:
- for companies, a maximum fine of €10 million, or for undertakings, a maximum of two percent of global turnover, whichever is higher; or
- for companies, a maximum fine of €20 million, or for undertakings, a maximum of four percent of global turnover, whichever is higher.
Given these potentially enormous sanctions, it is important to ensure full compliance, from the outset of the GDPR's implementation.
Article 50 TFEU provides Member States leaving the European Union with a two-year exit period when giving notification under that legislation. Until, at least, the expiration of that period, the UK will continue to be bound by EU law. Therefore, as Article 50 notification has not yet been given, it appears that UK business will have to prepare to comply with the GDPR from its introduction in May 2018. In any event, subsequent to the Referendum on Leaving the European Union in June, the Information Commissioner's Office stated that "if the UK wants to trade with the single market on equal terms we would have to prove adequacy". As such, it is possible that even after the UK has left the European Union, the requirements set out in the GDPR may remain in effect.
Section 54 of the Modern Slavery Act 2015
Following its implementation in October 2015, businesses should by now have become compliant with the Modern Slavery Act 2015's (MSA) reporting provisions. However, even a cursory examination of many businesses' websites demonstrates that full compliance remains scarce.
Section 54 of the MSA requires that: a body corporate (wherever incorporated) or partnership (being either a partnership, limited partnership, or a non-UK entity or firm of similar character); whose financial year end falls on or after the 31 March 2016; which provides goods and services; who has a total turnover not less than the amount prescribed by the Secretary of State (currently £36 million); and who carries on its business or a part of its business in the United Kingdom, publish an annual "Slavery and Human Trafficking Statement". This must be published on the business' website with a link to the statement in a prominent place on the website's homepage. If the business does not have a webpage, it must provide the statement to anyone that asks within 30 days of receipt of request.
This statement must set out what measures the reporting business has taken to eliminate slavery and human trafficking in its business, including its supply chain. However, beyond this, the MSA is silent as to what a statement must include (although it does provide examples, such as details of a business' policies, monitoring procedure, and due diligence measures).
A turnover threshold is included in Section 54 MSA to account for the fact that monitoring and ensuring compliance with supply chains which are complex, and/or geographically diverse, is a burdensome and costly exercise. The Department for Business Innovation and Skills has stated that the rationale behind Section 54 MSA is to "ensure that large businesses cannot turn a blind eye to modern slavery simply because of their corporate status or domicile" (our emphasis). However, some, such as the Chartered Institute of Procurement and Supply, have argued that the turnover threshold should be lower.
Whilst the MSA specifically provides that a business may comply with Section 54 by making a statement that it has taken no steps, this would likely expose the business to greater risk (by representing a 'red flag' to law enforcement agencies, regulators, and pressure groups) as well as making it unattractive to consumers, corporate peers, and investors.
Whilst criminal sanctions attach to breaches of other provisions of the MSA, the only direct penalty for non-compliance with Section 54 is civil. Section 54(11) provides that the Secretary of State may bring civil proceedings in the High Court to seek an injunction requiring a non-compliant entity to act to meet the obligations imposed upon it by Section 54. Despite this, if a company were to be so un-cooperative as to require the Secretary of State to seek injunctive relief, that would (as is stated above) suggest the non-compliant entity had not complied with other aspects of the MSA, and would very likely therefore attract more detailed investigation by law enforcement and regulatory bodies.
When it was passed, the MSA was criticised in some quarters as merely paying lip service to tackling big businesses' exploitation of slavery and indifference to human trafficking. The seeming indifference to the widespread lack of compliance to date supports such an assessment. Despite that, continued non-compliance presents a legal risk to any organisation caught by the MSA. For that reason, and given that compliance demonstrates a strong sense of corporate social responsibility, we would urge all clients to conform with the requirements of the MSA.
The International Organisation for Standardisation: Anti-Bribery Management Systems
In October 2016, the International Organisation for Standardisation (ISO) published a new standard relating to "Anti-Bribery Management Systems" (ISO 37001:2016) (the New Standard). The publication of this new international standard demonstrates the growing realisation that bribery is a threat to trade and commerce that must be tackled on a global scale and in a proactive manner by corporations themselves, rather than merely through passive compliance with inconsistent and varied national legislative regimes. The New Standard was drafted following international consultation, and is designed to assist in ensuring compliance with anti-bribery legislation in multiple jurisdictions, by "small, medium and large organisations in all sectors, including public, private, and not-for profit". As such, the New Standard provides a common anti-bribery management system which organisations can easily implement that will allow them to "prevent, detect and respond to bribery and comply with anti-bribery laws".
Despite only providing a generally applicable anti-bribery management system framework, the New Standard includes provisions relating to: risk assessments, due diligence, controls, monitoring, 'whistle-blowing', training, gifts, and hospitality, amongst others. The New Standard emphasises that an "organisation's culture is critical to the success or failure of an anti-bribery management system". To that end, the New Standard places responsibility for establishing, maintaining, and reviewing the anti-bribery management system on the day-to-day managers of the company, with the oversight of the Board of Directors, in respect of the overall adequacy, effectiveness, and implementation of the management system.
The New Standard empathises that entities should seek to tailor their anti-bribery policies to meet the particular risks and challenges arising from the specific sectors in which they operate. To that end, the New Standard includes certain anti-bribery policy provisions that will be of greater relevance to some entities than others. For example, the New Standard contains provisions relating to dealings with "business associates"—third parties acting on an entity's behalf. The inclusion of such provisions demonstrates how the ISO has designed the New Standard to act as a comprehensive framework or foundation, on which entities may base their anti-bribery policies.
Whilst simple incorporation of the New Standard into a company's policies and procedures will not, alone, be sufficient to prevent bribery from occurring, it represents a valuable resource, as a guide to international best practice, which businesses can draw on when implementing new anti-bribery policies or reviewing and revising existing ones. In the current political, regulatory, and legal climate, where law enforcement agencies in multiple jurisdictions are re-doubling their efforts to combat bribery, the availability of the New Standard is a useful tool for businesses and those advising them to seek to minimise bribery risk, and ensure compliance with anti-bribery laws and regulations.
The Ministry of Defence—Allegations of Corruption
According to records released to the UK Parliament by Defence Minister Harriett Baldwin, the Ministry of Defence (the MoD) has referred 44 cases of corruption in relation to defence contracts to law enforcement agencies since 2011. Of the allegations, 4 related to bribery of foreign public officials and 29 related to UK companies.
The MoD stated that, "while most MOD personnel would not consider committing fraud there is, unfortunately, a small minority, both Service and civilian, who do so". The MoD does have a "zero tolerance approach to fraud", however, it continues to allow companies against whom allegations of corruption have been made to continue bidding on contracts, unless they have been found guilty of relevant offences.
Susan Hawley, of Corruption Watch, has criticised this approach, stating that: "the lack of any effective action against contractors alleged to have been involved in bribery and corruption is deeply worrying. It is time that the MoD used its powers to deny companies involved in wrongdoing the right to bid for its contracts."
EUROPEAN AND AMERICAN DEVELOPMENTS
Settlement of US Regulatory Investigations by Deutsche Bank and Credit Suisse
On 23 December 2016, Deutsche Bank AG agreed to pay $7.2 billion USD to settle a DoJ investigation into its dealings in mortgage-backed securities. The fine will comprise a $3.1 billion civil penalty and $4.1 billion in compensation to those affected by its conduct. Many will see the settlement as a relative victory for Deutsche Bank, given that the investigation, at times, appeared to threaten its very existence, and given the DoJ had initially requested a payment of $24 billion.
A few hours after the Deutsche Bank announcement, Credit Suisse AG announced that it too had agreed a settlement in principle with DoJ to end an investigation into its dealings in mortgage-backed securities. Credit Suisse has agreed to pay a civil penalty of $2.48 billion and $2.8 billion in compensation to those affected by its conduct.
Following the two settlements, DoJ announced it would bring an action against Barclays Bank in relation to its dealings in mortgage-backed securities.
Swiss Competition Law Fines for Interest Rate Rigging
On Wednesday 21 December 2016, the Swiss competition authority (Comco) secured fines of almost €100 million against seven banks including JP Morgan Chase, RBS, and Barclays Bank for various cartel participation, collusion, and conspiracy offences related to the setting of various benchmark interest rates and associated products (including Libor, Euribor, the Swiss Franc, and the Yen) between 2005 and 2010. Comco's investigation into the activities of other banks in relation to similar wrongdoing continues.
The French "Transparency, Anti-Corruption and Economic Modernisation Bill"
On the 8 November 2016, the French Parliament adopted the "Transparency, Anti-Corruption and Economic Modernisation Bill", more commonly known as the "Sapin-II Bill", after its architect, French Finance Minister Michel Sapin.
The Bill, which draws clear inspiration from similar English legislation (such as the Bribery Act 2010 and Crime and Courts Act 2013), will significantly enhance French financial crime legislation. Some key features of the Bill include:
- introduction of a French Deferred Prosecution Agreement (the Judicial Convention of Public Interest) closely mirroring that introduced in England and Wales in the Courts and Crime Act 2013;
- extension of certain French anti-corruption offences to include conduct beyond French national borders, and the lifting of restrictions to allow the French authorities to bring prosecutions in respect of certain extra-territorial conduct;
- a new duty to adopt anti-corruption compliance procedures (with provision for potentially substantial fines for non-compliance) for corporate entities employing 500 or more individuals with turnovers of at least €100 million;
- introduction of enhanced protection for whistle-blowers reporting criminal conduct; and
- creation of a new French national anti-corruption agency with a wider remit, and more extensive powers, than the existing "Central Service for the Prevention of Corruption".