Stephen Gentle is a partner in the crime, fraud and investigations group at Simmons & Simmons in London. He specialises in assisting clients in complex fraud and financial regulatory matters, frequently with multi-jurisdictional aspects. He has particular expertise in advising on anti-bribery compliance and money laundering prevention, and has a broad international criminal practice.
Alexander Brown is a partner in the information, communications and technology group at Simmons & Simmons, based in London, and head of the technology, media and telecommunications sector. He advises on outsourcing and commercial ICT contracts, and has particular expertise in data protection and privacy.
Helen Soutter is a supervising associate in the crime, fraud and investigations group in London. She has experience of complex criminal investigations, high profile litigation and expertise in eDiscovery solutions.
GTDT: What are the key developments related to anti-corruption regulation and investigations in the past year in your jurisdiction, and what lessons can compliance professionals learn from them?
Stephen Gentle: One of the most high-profile developments this year has been the Court of Appeal’s reversal of the controversial decision in SFO v ENRC, regarding the scope of legal professional privilege. Following an intervention by the Law Society, the Court has now established clearer guidelines on how litigation privilege will apply in the context of a criminal investigation. It will bring greater comfort to companies faced with the need to investigate potential wrongdoing, and under threat of prosecution by the Serious Fraud Office (SFO), that the same protections are afforded that would apply in the civil context. Nevertheless, it remains true that cases are inevitably determined on the facts, and not every instance of ‘concern’ articulated by the SFO will give rise to a ‘reasonable contemplation’ of prosecution. That means companies will need to give careful consideration to whether or not the relevant circumstances exist when they commence investigations, and reassess their position as matters progress.
Helen Soutter: Aside from ENRC, there have been a number of other major developments impacting the types of evidence that are likely to be available to prosecutors investigating criminal conduct, including corruption. While ENRC limits what may be compelled from corporates in the context of an SFO prosecution, the decision in Barko v KBR, handed down a mere day later, does the opposite. The decision makes it possible for the SFO to lawfully compel the production of documents located on servers overseas from a foreign company where the foreign company has ‘sufficient connection’ to the UK, without need for recourse to the usual mutual legal assistance (MLA) routes.
Given the SFO’s role in investigating and prosecuting complex and cross-border cases, including, for example, for conduct occurring outside the UK that is punishable under the UK Bribery Act, this further expansion of the territorial reach of the UK prosecutor may not surprise experienced compliance professionals used to dealing with the US Department of Justice (DOJ). Nevertheless, it does leave the path clear for documents to arrive at the SFO much quicker than previously. When an MLA request might take many months, demanding these documents direct from the corporate means the production will be subject to the deadlines laid down by the SFO. The agency is also beginning to use technology to assist its review of the enormous amounts of data it receives during the course of investigations – both to sift out privileged documents (though there are big questions around how this is applied in practice) and to identify relevant material. We will watch closely how the approach to this artificial intelligence changes over the coming year to anticipate how potential defendants can or should adapt their own strategies.
Moreover, where there is no relevant group company on whom the SFO can serve such a request, there are further new tools in the pipeline: the UK overseas production order and the European production order (EPO). Both enable the relevant authorities to bypass the MLA procedure to compel production from companies overseas directly (though whether the UK will adopt the EPO after the Brexit implementation date is still far from clear, particularly if the overseas production order will achieve a similar effect).
GTDT: What are the key areas of anti-corruption compliance risk on which companies operating in your jurisdiction should focus?
SG: While we continue to receive queries about gifts and entertainment from clients, the most common form of corruption that we are seeing in enforcement actions remains the use of intermediaries and agents. Using third parties to win business overseas is always high-risk and the companies we work with who have the most impressive anti-corruption programmes have reviewed their historic relationships with agents, conducting further due diligence with a view to reducing their number and ensuring they are only engaged when appropriate. The questions companies should be asking are: ‘what is the rationale for using an agent?’, ‘what exactly is the agent going to do?’ and ‘how do we monitor their activities?’ In most of the cases where enforcement action has been taken, there was insufficient pushback on using a third party at all, with little questioning of their role and a lack of due diligence regarding those involved.
Companies also need to review the operation of their anti-corruption policies and procedures and assess their effectiveness on an ongoing basis. Are the measures in place the right ones for the risks the company faces? Around the time the Bribery Act came into force, there tended to be significant emphasis on monitoring the provision of gifts and hospitality, as this was an area very much in the news. For some companies this is not a particularly high-risk area and it can distract from more important areas such as due diligence on agents and intermediaries, and scrutinising those relationships.
Another area of focus is around ensuring a zero-tolerance approach to facilitation payments. Given that a specific review of the provisions of the Bribery Act relating to facilitation payments currently underway in the House of Lords seems unlikely to change the current position (that is, a continuing prohibition), despite the political pressures caused by Brexit, companies need to be moving in the right direction on this in practice. Given the time now elapsed since the implementation of the Bribery Act, any tolerance of these types of payments has potential to attract attention from enforcement.
Once a company is content with its measures, the next question is, are they working? If there is a gifts and hospitality register, is it being used consistently? Is it audited for completeness; for example, by cross-checking it against marketing expenditure? Is the register being reviewed to identify unusual patterns of expenditure, such as hosting the same customer representative repeatedly? The clients we work with that have the most impressive compliance programmes review and improve their anti-corruption policies and procedures as part of an ongoing programme.
GTDT: Do you expect the enforcement policies or priorities of anti-corruption authorities in your jurisdiction to change in the near future? If so, how do you think that might affect compliance efforts by companies or impact their business?
SG: There are some new, key figures in the UK enforcement line-up – we recently saw the appointment of a new Attorney General, and a new Director of the SFO. Both have been quick to defend the role of the UK’s lead prosecutor, its funding arrangements and its success record, and there is no sign as yet of any shift in the more aggressive enforcement stance of recent years.
If, for example, Lisa Osofsky, the Director of the SFO, continues as her predecessor Sir David Green QC did, to widely advertise the measures the SFO will expect from corporates wishing to avail themselves of a deferred prosecution agreement (DPA), then we may see further instances of early and increased cooperation by corporates that identify issues within their organisation, in the hopes of leaving the door open for such an agreement to be reached down the line.
It may be the case that the new Director’s approach to cooperation by corporates becomes more nuanced, with a greater willingness to allow companies to conduct comprehensive investigations in advance of any self-report – and indeed subsequent to a self-report.
There is also an increased likelihood that more investigative material will now benefit from legal professional privilege as a result of the ENRC decision, compared to the position under the later stages of Sir David Green QC’s tenure. That could have the effect of making the fully ‘cooperative’, early self-reporting route, including providing privileged documents to the SFO, even less appealing. Many clients consider that if the company can properly establish its level of risk ahead of compelled document productions or interviews of staff, it will be in a stronger position to consider whether a DPA, or mounting a positive defence, is of greater strategic value.
These practical issues will impact on how corporates under threat of investigation respond to allegations of wrongdoing, and in turn, the SFO will need to recognise the shifting landscape, and potentially adjust its policy accordingly. We also cannot ignore the as yet unknown future impact of Brexit, and the complex interplay between maintaining the attractiveness of London as an international financial centre, with the UK’s crucial role as a global leader in the fight against financial crime.
HS: It is also worth noting that the new National Economic Crime Centre (NECC), announced late last year, will be established by the end of October. It will sit within the National Crime Agency (NCA) and be tasked with coordinating with other agencies to bring together efforts to counter financial crime. We don’t expect any immediate changes to the formal division of responsibilities laid down in the inter-agency memorandum of understanding; however, the NCA has been vocal in the past about the need for greater public–private partnership, and the launch of the NECC would present an opportunity to reach out again for collaborative effort in this area. Ms Osofsky has also been vocal about her experience of working collaboratively with private organisations during her time as a US federal prosecutor. Given that the intention behind the NECC’s launch was to further support the crack down on anti-money laundering through London’s financial institutions, we anticipate further developments on this initiative to be announced soon.
GTDT: Have you seen evidence of continuing or increasing cooperation by the enforcement authorities in your jurisdiction with authorities in other countries? If so, how has that affected the implementation or outcomes of their investigations?
SG: The SFO has long had a close relationship with the DOJ and the Securities and Exchange Commission (SEC), although there have been tensions on occasion. Coordinated settlements in older cases such as Innospec and the BAE Systems Al Yamamah investigation demonstrated that relationship in action. What we have seen more recently is cooperation between the SFO and agencies from other nations. It was notable that, following the SFO’s first successful conviction of a company for corruption offences following a contested trial, the Smith & Ouzman case, the SFO’s press release made a point of thanking authorities in Kenya, Ghana and Switzerland for their assistance. Cooperation is consistently noted in other recent cross-border cases with the Australian Federal Police (relating to the Unaoil charging decision), the Financial Crimes Commission of Nigeria (in the trial of three employees of Swift Technical Solutions Ltd), and, in one particular case, an enormous collaborative effort between the UK and the authorities of the British Virgin Islands, Cayman Islands, Germany, Luxemburg, Ireland, South Africa, Sweden and Switzerland (the trial of Ulf Magnus Michael Peterson (Weavering Capital (UK) Ltd)).
The same applies to cases where a settlement is reached using the DPA route. Following the conclusion of the DPA with Rolls-Royce, the SFO publicly thanked the DOJ and Brazil’s Public Prosecutor’s Office for their cooperation in arriving at what the SFO called ‘a coordinated resolution’ that saw Rolls-Royce pay US$170 million to the United States and US$25 million to Brazil. That highlights another aspect of international cooperation that we have seen – that where there is overlapping jurisdiction, the UK and US authorities will discuss which is better placed to lead, and one may step aside on the basis that an investigation by the other is already under way. As part of the ICBC Standard Bank DPA, the SEC levied a fine on the bank, but the DOJ appeared to be happy to allow the English proceedings to lead. It was also notable that the court was told that the level of fine imposed in that case was commensurate with what would have been imposed in US proceedings. US authorities are not always very joined up themselves, however, and it is common to have to deal with multiple agencies there, each with its own agenda.
“Companies will be expected to assist the authorities in prosecuting implicated individuals.”
GTDT: Have you seen any recent changes in how the enforcement authorities handle the potential culpability of individuals versus the treatment of corporate entities? How has this affected your advice to compliance professionals managing corruption risks?
SG: Each of the judgments to date approving the DPAs agreed between the SFO and companies settling allegations of misconduct have emphasised what was set out in the SFO’s guidelines: that companies will be expected to assist the authorities in prosecuting implicated individuals. That is what we are seeing in practice too. If a company hopes to be considered cooperative (and therefore potentially eligible for a DPA), it will be expected to provide evidence against its officers and employees to the SFO. It will also be expected to have removed any implicated individuals from their posts. It is notable that the name of the company that was the subject of the second concluded DPA was not disclosed at the hearing approving the DPA because of the possibility of prejudicing ongoing criminal proceedings.
Those proceedings will involve individuals. We advise individuals as well as corporates, so we see this issue from both sides. In terms of how the prosecution agencies’ focus on individual liability affects our advice to compliance professionals, the convictions of individuals makes for a strong training message. Compliance officers often struggle to get their audience’s attention, but the reality of personal liability can be useful for bringing the issues to life.
HS: The SFO has made a point of pursuing individuals as part of its corporate investigations, not only by following through on its requirement that companies assist in the prosecution of individuals following conclusion of a DPA, but at an earlier stage too. This emphasis on individual liability mirrors developments in the United States, highlighted by the Yates Memorandum, and we think this will continue. This year has seen some significant actions against individuals following SFO investigations into corporates, such as the charging of a number of individuals in relation to Unaoil, two former executives of Güralp Systems Limited in relation to alleged corrupt payments to South Korean officials, the trial of four former Barclays executives in relation to the bank’s 2008 capital raising, and the conviction of seven current and former employees of F H Bertling in relation to corrupt payments made to the Angolan state oil company.
“This year we saw the first contested UK prosecution for the ‘failure to prevent bribery’ offence.”
GTDT: Has there been any new guidance from enforcement authorities in your jurisdiction regarding how they assess the effectiveness of corporate anti-corruption compliance programmes?
HS: This year we saw the first contested UK prosecution for the ‘failure to prevent bribery’ offence under section 7 of the Bribery Act 2010, against Skansen Interior Limited. The judgment has provided some further clarity around what compliance procedures will be deemed to be ‘adequate’, and therefore afford companies a defence under the Act. Skansen argued that the procedures as a whole were appropriate to its business. Notably, it was a small business with (it argued) no need for a specific anti-bribery and corruption (ABC) compliance programme, given that it had general policies around transparency and integrity, and signs on the walls in the office reminding employees to act ‘ethically’. The court disagreed. The guidance from the case indicates that while proportionality is a valid consideration for companies in designing their compliance frameworks, it doesn’t mean ABC risks don’t need to be specifically addressed, and the risk still needs to be looked at in context – that is, for example, with a view to whether the company is operating in a high-risk sector like construction (in Skansen’s case), dealing with high-risk customers or in high-risk geographical regions.
GTDT: How have developments in laws governing data privacy in your jurisdiction affected companies’ abilities to investigate and deter potential corrupt activities or cooperate with government inquiries?
Alexander Brown: The collection and analysis of personal data for the purposes of an investigation engages EU data protection laws. Those laws require that data is processed fairly and lawfully (and specifically there must be a justification for the collection and any disclosure of data). In the event that personal data is to be sent outside the EU, there must also be adequate protection for the data. These rules can often restrict the ability of companies to collect, use and transfer personal data in the context of an investigation including the transfer of personal data to advisers and authorities.
In May 2018 the European Union implemented the General Data Protection Regulation (GDPR), which raised the bar on data protection compliance standards. In the context of investigations, for example, an important consideration is that the collection and handling of data related to criminal investigations is more restricted than under the previous regime. The base position in the GDPR is that the collection and handling of data related to criminal offences must be ‘carried out only under the control of official authority or when the processing is authorised by Union or Member State law’. On the face of it, therefore, the ability to collect data that might relate to the commission of an offence such as fraud is very limited. However, member states have the ability to enact their own laws to supplement the GDPR and that has been done in the UK with the Data Protection Act 2018. One of the key things that the DPA 2018 does is to provide a further list of reasons why companies are entitled to collect and use personal data related to commission of criminal offences such that, for example, collection of data can be undertaken for the prevention or detection of unlawful acts, dishonesty, malpractice or ‘improper acts’. It also allows the collection and use of data related to a criminal offence in the event that it is necessary in the context of legal proceedings or obtaining legal advice.
The GDPR maintains the rules on data transfers out of the EU meaning that they are only permitted in certain circumstances. Those circumstances are extended to include circumstances in which the transfer is for ‘compelling legitimate interests’, which should include overseas investigations, albeit that such transfers are subject to notification to the relevant data protection authority. However, data transfers are also permitted where required for the purposes of the establishment, exercise or defence of legal claims. In this regard, the UK Information Commissioner guidance has historically set the bar high, requiring it to be a necessity that the information be sent and further requiring a balance to be struck between legal rights and the data subject’s rights. If overseas authorities have issued an order for the production of documents, then the test of necessity will be met. If it is merely a request that the company be cooperative, that is more difficult.
The future of data protection in the UK looks set to follow the EU’s rules. The GDPR has come into effect before the UK leaves the EU and, as such, it will be preserved in UK law. Moreover, one function of the Data Protection Act is to further enshrine the GDPR in UK law and make it work in a post-Brexit environment. Over time the data protection regimes of the UK and the EU may diverge, and that will create complexities for companies investigating matters involving both the UK and EU member states, but, for the moment the rules are broadly consistent.
The Inside Track
What are the critical abilities or experience for an adviser in the anti-corruption area in your jurisdiction?
SG: Experience of dealing with the various different authorities is really important in the United Kingdom, by which I mean the SFO, the Financial Conduct Authority, the City of London police, the Crown Prosecution Service and the NCA. They each have their own approach and their own powers, so you need to know when you can push back on their requests and when you just need to comply quickly. I think the critical ability is to maintain an overview of all the moving parts in a big investigation, as you need to be thinking about employment law, data protection, privilege, market announcements and all the commercial issues, usually all from the perspective of more than one jurisdiction.
What issues in your jurisdiction make advising on anti-corruption compliance unique?
SG: The interrelationship between corruption and money laundering is a unique aspect of compliance in the United Kingdom. Under UK legislation, wherever there is bribery there will be a benefit that will be the proceeds of crime. The Proceeds of Crime Act creates an obligation for those in the regulated sector to report any suspicion that someone is handling the proceeds of crime and that includes accountants and lawyers who are not advising on criminal liability. This not only makes the reporting of corrupt transactions more likely, but creates its own issues as to when a company in the regulated sector may be under a legal obligation to report.
What have been the most interesting or challenging anti-corruption matters you have handled recently?
HS: We are seeing an increasing number of cases of parallel civil proceedings alongside a criminal or regulatory investigation into allegations of corruption. That complicates the process in relation to issues such as interviewing witnesses, privilege over documents created to serve multiple purposes, what can be shared with prosecutors and the statutory protection against self-incrimination. The key is to take stock early on, and consider the situation dynamically, so that if and when things change, you advise the company on any corresponding shift in the risk profile of the case and how it should be managed going forward.
Stephen Gentle, Alexander Brown and Helen Soutter
Simmons & Simmons LLP