Horizon Scanning: Investigations and Enforcement

As anticipated in our previous horizon scan (see here), the end of 2023 has brought about significant developments in financial crime enforcement and a real focus on fraud. Looking ahead to 2024, we predict developments affecting organisations doing business in the UK will include:

• a focus from organisations on fraud, in particular preparing for the implementation of the new failure to prevent fraud offence, by enhancing anti-fraud procedures;
• new enforcement priorities for UK authorities, in particular with the arrival of the new Serious Fraud Office (SFO) director, extensions to the powers of the SFO and a focus on individual accountability and non-financial misconduct from both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (including misconduct outside the workplace);
• a continued rise in the number of investigations and subsequent enforcement actions involving sanctioned Russian individuals and entities, resulting in greater scrutiny of organisations’ sanctions compliance programmes; and
• heightened enforcement by regulators of companies’ disclosures concerning their ESG credentials, as well as the need to comply with a growing number of ESG due diligence and reporting requirements.

1. Economic Crime and Corporate Transparency Act

The Economic Crime and Corporate Transparency Act 2023 (ECCT Act) received Royal Assent on 26 October 2023, bringing with it wide-ranging reforms to tackle economic crime. The changes will be implemented in stages over the coming months, and we expect that this will increase scrutiny of organisations and their compliance programmes, effect a shift in compliance programmes and culture, as well as make enforcement action, in particular deferred prosecution agreements, more likely.

1. The Failure to Prevent Fraud Offence: the new offence makes an organisation liable if it fails to prevent a specified fraud offence from being committed by an ‘associated person’ for the benefit of the organisation or a person to whom services are provided on behalf of the organisation. It is a defence to have in place ‘reasonable procedures’ to prevent fraud. Whilst the offence only applies directly to ‘large’ organisations, we expect that in practice, smaller organisations will still have to consider putting in place, or reinforcing, their anti-fraud procedures – given that they may be the ‘associated person’ of a large organisation (and the large organisation may therefore require them to have in place ‘reasonable procedures’ to prevent fraud). Please see our articles here and here for more information. The government is yet to provide guidance on what constitutes ‘reasonable procedures’ ahead of the offence coming into force, and so the date of implementation is not yet clear (although it is now expected that this will be in the second half of 2024 at the earliest).
2. Corporate Criminal Liability: from 26 December 2023, the current ‘directing mind and will’ test for corporate criminal liability will be replaced with a new ‘senior managers’ test which is likely to make prosecuting organisations for criminal offences easier (for more detail please see here). This applies only to certain offences, although these are relatively broad and include offences of bribery, money laundering, fraud, false accounting and fraudulent trading, as well as offences under the Financial Services and Markets Act 2000, Financial Services Act 2012, and offences under the Terrorism Act 2000. During debates on the ECCT Act in Parliament the government signaled its intention to broaden this to include liability for all criminal offences committed by a senior manager, after it had been able to consider the consequences. This has now been proposed in the 2023 Criminal Justice Bill so that if enacted, organisations will be liable for any offence committed by a senior manager within the actual or apparent scope of their authority. See our blog here.
3. SFO Powers: historically, the SFO has only had the power to compel the provision of documents and / or information under section 2 of the Criminal Justice Act 1988 at a pre-investigation stage in cases of international bribery and corruption. The ECCT Act has extended this to all SFO cases (see more detail here). Given that this means that evidence can be gathered at an earlier stage by the SFO, we expect this to speed up the investigation process and allow the SFO to open investigations more quickly.
4. Companies House reforms: these are aimed at, among other things, strengthening the UK’s business environment and improving the reliability of data. Several changes are also being made to processes and requirements for company formation and administration, including requiring identity verification of directors and persons with significant control of UK organisations. See our article here for more information.
5. Specific exemptions to money laundering offences: businesses in the UK regulated sector (such as financial institutions) which are dealing with property (including money) for a client and know or suspect that a part of that property is the proceeds of crime (‘criminal property’) will no longer be required to seek a Defence Against Money Laundering (DAML), commonly known as “consent”, if they:

a. cannot identify which part of the property represents the suspected criminal property; and

b. hold property worth at least as much as the part of that property to which their knowledge or suspicion relates.

Whilst such businesses will still be required to report their knowledge or suspicion, the removal of the requirement to obtain a DAML will avoid the need for those businesses to prevent a customer’s access to any of that property while they are waiting for a DAML. It will reduce the burden on financial institutions in particular. A DAML will still need to be sought as soon as dealing with any part of the property to which the knowledge or suspicion relates occurs. By way of example, where a client account balance was £900, and then a further £100 was received which was suspected criminal property, no DAML would be required for dealing with £900. As soon as the account only holds £100, then a DAML will be required (as the suspected criminal property will then be dealt with).

The change will come into force on 15 January 2024. It will not apply to disclosures under the Terrorism Act 2000.

2. Use of Non-Firm Approved Messaging Platforms

UK authorities are increasingly focused on firms’ policies and procedures in relation to instant messaging and are paying close attention to action taken by the SEC. We expect to see similar investigations targeting organisations in the UK that fail to record and retain electronic communications or to put in place adequate record-keeping policies and procedures in relation to instant messaging. In preparation for increased regulatory scrutiny, UK firms (and in particular, those that are regulated) should consider reviewing their policies and related procedures regarding the use of personal devices and instant messaging platforms.

3. DOJ Guidance on successor liability – what does this mean for UK organisations?

The United States Department of Justice (DOJ) announced earlier this month a new policy which aims to encourage organisations to voluntarily self-disclose any misconduct uncovered during the process of mergers and acquisitions (M&A). Organisations will receive a presumption of a declination (i.e. a decision not to prosecute) from the DOJ where they discover criminal conduct during an arm’s length, bona fide M&A transaction and where this is: (i) voluntarily disclosed to the DOJ within six months from the date of closing; and (ii) fully remediated within 12 months.

For UK organisations engaging in cross-border M&A transactions with any potential US nexus, this increases the importance of thorough pre- and post-acquisition due diligence and compliance programme remediation and enhancement.

4. Enforcement priorities

New SFO Director / SFO Priorities going forward

Following the appointment of former Metropolitan Police Assistant Commissioner Nick Ephgrave as the new Director of the SFO in September, there has been much speculation as to his priorities for the SFO in the coming years. While no significant announcements have been made, we expect to see the following:

1. Pressure to see the new SFO powers (see above) used sooner rather than later.
2. Increased commitment to combatting fraud, in particular in light of the new failure to prevent fraud offence, and also the scale of alleged fraud relating to government-backed loans during the Covid-19 pandemic as well as increasing online consumer fraud.
3. Increased focus on individual accountability given the changes to the corporate criminal liability test (see above).
4. Increase in dawn raid activity: the SFO recently conducted a large-scale dawn raid (including making seven arrests). Over 80 SFO investigators and police officers were involved.

FCA Enforcement Update

Based on recent developments and the activity we are seeing, we expect the FCA to focus on:

1. Consumer protection, which is a key regulatory focus for the FCA (in particular the protection of vulnerable customers). It has now been over three months since the Consumer Duty has come into force and we have seen recent related enforcement activity and expect more to come. For more information please see here.
2. Financial Crime: we have seen a number of enforcement cases with a particular focus in the areas of AML and fraud. This trend is expected to increase (also with a focus on sanctions), with the FCA highlighting in their 2023 / 2024 Business Plan (here) that financial crime remains a significant focus. In particular, they highlighted in the Business Plan, as well as in a recent report (see here), the focus on authorised push payment fraud. We expect to see the FCA using data to identify firms which are more susceptible to receiving the proceeds of crime; increasing their volume of proactive assessments of firms’ AML systems and controls; and also increased scrutiny on firms having in place procedures to identify and prevent fraud.
3. Individual accountability: there is a growing focus on non-financial misconduct, as set out in a recent FCA Consultation Paper here. The FCA has introduced proposals that non-financial misconduct (including outside of work) would be relevant when conducting a ‘fit and proper’ assessment, and also when considering whether there has been a breach of Conduct Rule 1: acting with integrity. If introduced, this would require firms to revisit their cultural expectations and Codes of Conduct, and also ensure that they have clear training and policies in place to ensure that poor behaviour is escalated and dealt with appropriately and promptly. The consultation closes on 18 December, so we expect to see any changes during the course of 2024.

Dawn raids are on the rise, and we expect the FCA will continue utilising its powers: during the first half of 2023, the FCA conducted six dawn raids compared with two during the entirety of 2022. Organisations should ensure that they are prepared for any dawn raids, including updating their dawn raid manuals in light of hybrid working, making sure they know where and how their data is stored, and conducting practical training for all employees.

FCA Supervision is also active in issuing wide-ranging Information Requirements, which can be the precursor to an investigation by Enforcement. Organisations should be aware of this risk, and where appropriate involve their investigations and enforcement teams when responding to Supervision requests to ensure these are considered through the lens of potential enforcement.

PRA Enforcement Update

The PRA, similar to the FCA, appear to be focusing on non-financial misconduct and in particular on diversity and improving the general standard of conduct within firms.

More generally, the PRA have also recently emphasised that they are focussed on learning lessons from previous investigations, and on driving efficiency and preserving resources. This emphasis has manifested itself in the PRA’s proposed changes to their approach to enforcement. In our June 2023 horizon scanner here, we touched on this, and in particular on the proposed introduction of an Early Account Scheme, effectively outsourcing investigations to the firm and providing an enhanced settlement discount of 50% as an incentive. Other proposed changes include the way in which financial penalties were calculated. This consultation is ongoing, and it is not clear when the proposals will be finalised. The proposed scheme signals that the PRA are prepared to use their enforcement powers and are seeking to speed up investigations.

5. Sanctions

Sanctions and investigations

Following the unprecedented levels of sanctions activity in response to Russia’s invasion of Ukraine, authorities in the US, UK and EU are now turning their attention to enforcement of those sanctions. Sanctions authorities have indicated that they are bolstering their enforcement teams to handle the expected increase in sanctions-related investigations, and we are seeing an increase in requests for information from authorities across multiple jurisdictions to support on-going investigations. With this increased focus, we expect to see a continued rise in the number of investigations and subsequent enforcement actions, resulting in greater scrutiny of organisations’ sanctions compliance programmes. Our article here summarises some of the key points to consider when responding to a potential sanctions breach, and the steps organisations should be taking.

Regulatory developments

The UK has continued to designate individuals and entities under its sanctions regime targeting Russia. The latest round of designations exemplify its focus on anti-circumvention measures – on 8 November the UK government announced the designation of 29 individuals and entities that operate in or support Russia’s gold, oil and strategic sectors. Notably, these designations were not confined to entities and individuals located in Russia, but included Swiss nationals, and entities based in Dubai and Jersey.

In parallel with this latest round of designations, the National Economic Crime Centre (a multi-agency unit in the National Crime Agency) (the NECC) issued a red alert concerning techniques that are used to evade sanctions related to gold (which the NECC notes is a significant income stream for Russia’s war effort and was worth approximately £12.6 billion to the Russian economy in 2021), which is available here. The red alert outlines indicators of circumvention that are relevant to gold, including suspicious cargo movements, incomplete or incorrect paperwork, and cash-based transactions.

In the recent case of Mints v PJSC (a summary of which is available here), the Court of Appeal indicated that a very broad interpretation of when an asset freeze target may be owned or controlled by a designated public figure was possible in light of the wording of the UK sanctions regulations. The Foreign Commonwealth Development Office and OFSI have since issued public statements, which suggests that that their approach has not changed. We expect that UK sanctions authorities may consider issuing further guidance and/or take other action to address the Court’s obiter remarks on when an entity may be owned or controlled by an asset freeze target.

6. ESG / BHR

2023 has seen a continued focus on greenwashing from the FCA, Competition and Markets Authority (CMA) and Advertising Standards Agency. In Q4 2023, the FCA is expected to impose an anti-greenwashing rule requiring regulated firms to ensure the name and marketing of their products reflect their sustainability profile. In addition, the Digital Markets, Competition and Consumer Bill, which will grant the CMA extensive new enforcement powers, will progress through the UK legislature next year. Also in 2024, the Government will adopt UK Sustainability Disclosure Standards based on the IFRS Sustainability Disclosure Standards issued by the International Sustainability Standards Board. These will form a baseline for applicable disclosure requirements.

The EU’s ESG legislative program continues apace. From 2024, certain large “public interest entities” and companies with securities listed on EU exchanges will be required to make ESG disclosures in their annual reports from 2025 for the 2024 financial year, under the EU’s Corporate Sustainability Reporting Directive (CSRD), with other companies (including non-EU parent companies) required to report in later years. CSRD requires compliance with European Sustainability Reporting Standards (ESRS). The first set of ESRSs were published in 2023, with further ESRSs delayed until 2026.

Following closely behind CSRD is the proposed EU Corporate Sustainability Due Diligence Directive (CS3D), which will introduce mandatory human rights and environmental due diligence obligations extending to the value chain. CS3D will apply to certain non-EU companies with a specified level of turnover in the EU – including a large number of UK companies given the EU remains the UK’s biggest export market. The EU Parliament and Council are negotiating the final text of CS3D, which they hope to complete by the end of the year. One of the key issues is whether CS3D will apply to financial services.

The EU’s other ESG initiatives include the introduction of the EU Deforestation Regulation, which will impose supply chain due diligence obligations on companies importing certain commodities into the EU from 30 December 2024. In the near future, the UK Government will also be introducing secondary legislation at the “earliest opportunity” to implement the 2021 Environment Act’s due diligence requirements concerning illegal deforestation in their supply chains.