Corporate self-reporting: Weighing the cost of coming clean

UK developments

The recent implementation of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) has amended the established identification principle according to which only the criminal acts of a person representing an organisation’s controlling mind and will could be attributed to the organisation (see feature article "The fight against economic crime: ECCTA takes effect", www.practicallaw.com/w-043-0383). This had been the position under UK law for over half a century and was argued to represent an excessive bar to successful corporate prosecutions. ECCTA introduces a new test so that an organisation can now be held criminally liable where a senior manager commits one or more of a number of specified economic crime offences (section 196, ECCTA). 

In addition, a new offence of failure to prevent fraud is due to be introduced in 2025. Modelled on the failure to prevent bribery offence, it will make an organisation liable where a person associated with the organisation commits one of a number of specified fraud offences (section 199, ECCTA). Similar to the failure to prevent bribery offence, the only defence for an organisation will be to have reasonable procedures that are designed to prevent fraud. 

These changes greatly expand the potential liability of businesses, which will mean that the question of self-reporting is likely to arise in a much greater number of circumstances. Previously fraud by an employee was unlikely to result in corporate criminal liability. Now, criminal liability may be attributed to an organisation if the employee is a senior manager and, once the failure to prevent fraud offence is in force, the organisation may be liable for failure to prevent fraud. 

UK whistleblowers 

There is a growing trend towards encouraging corporate self-reporting, which is reflected in recent attempts to incentivise whistleblowers. The new director of the Serious Fraud Office (SFO), Nick Ephgrave, in his speech on 13 February 2024, acknowledged that most of the SFO’s DPAs have come from whistleblowing reports and proposed that whistleblowers should be financially compensated (www.sfo.gov.uk/2024/02/13/director-ephgrave-speech-at-rusi-13-february-2024/). This is part of a wider package of reform aimed at enhancing whistleblower protections (see Opinion "Whistleblowing reform: better protection needed", www.practicallaw.com/w-044-2428). 

This growth in whistleblowing regulation is likely to increase the number of whistleblowing complaints further. The risk of whistleblowing increases the need for organisations to give timely consideration to self-reporting in order to reduce the risk that any credit that might be available to them is not lost by the authorities receiving the information first from another source (see feature article “Whistleblowing policies: reaping the rewards”, www.practicallaw.com/w-008-4812).

Deferred prosecution agreements

Since the DPA regime was introduced in the UK in 2014, the main motivation for an organisation to self-report continues to be the potential to secure a DPA (see feature articles "Self-reporting bribery: the ongoing dilemma", www.practicallaw.com/w-015-6714 and "Deferred prosecution agreements: moving into the unknown", www.practicallaw.com/6-525-6101). This has the benefit of avoiding the threat of a lengthy criminal investigation, and reducing financial penalties and reputational damage. However, a self-report is not a necessary ingredient of a DPA and much will depend on the circumstances. 

A failure to make a timely voluntary self-report will not prevent an organisation from achieving a DPA, in particular where it has demonstrated extensive co-operation with the investigation. This is clear from the recently concluded DPAs of:

• Entain plc in 2023, which was the first to be concluded by the Crown Prosecution Service (CPS) (www.cps.gov.uk/cps/news/first-ever-cps-deferred-prosecution-agreement-ps615-million).
• Amec Foster Wheeler Energy Limited in 2021 and Rolls-Royce in 2017, in which there were no initial self-reports (www.sfo.gov.uk/download/amec-foster-wheeler-energy-limited-deferred-prosecution-agreement-judgment/; www.sfo.gov.uk/2017/01/17/sfo-completes-497-25m-deferred-prosecution-agreement-rolls-royce-plc/; see News brief "Rolls-Royce deferred prosecution agreement: the SFO gains traction", www.practicallaw.com/6-638-0859).
• Airbus SE in 2020, where the company had effectively been forced to self-report (www.sfo.gov.uk/2020/01/31/sfo-enters-into-e991m-deferred-prosecution-agreement-with-airbus-as-part-of-a-e3-6bn-global-resolution/; see News brief "Airbus: the flight path for future DPAs?", www.practicallaw.com/w-024-1612).

Businesses and the SFO are both clearly motivated to achieve DPAs to avoid prosecutions under section 7 of the Bribery Act 2010 (2010 Act) (see feature article "Bribery Act 2010: ten years on", www.practicallaw.com/w-026-9809). One of the unintended consequences of this is that the extent of the 2010 Act’s extraterritorial jurisdiction remains untested and, in recent DPAs, jurisdiction has been agreed on the basis of a UK subsidiary company that may have had little or no connection with the underlying bribery.

Deciding whether, when and how to report are just the first steps in a long process towards potentially receiving a DPA. The SFO's corporate compliance guidance makes it clear that a business’s compliance will be assessed from the very early stages of the investigation (www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/evaluating-a-compliance-programme/). 

While reporting is ultimately a business decision, it is one with wide-reaching implications, and one that businesses must make carefully yet quickly, weighing the risks against the potential benefits.

US developments

US Department of Justice (DoJ) officials put out a regular stream of speeches, policies and announcements aimed at further incentivising businesses to self-report misconduct. These announcements have both trumpeted the potential benefits of self-disclosure as well as threatening the risks to businesses that wait to co-operate only after being approached by the government. 

Self-disclosure policies

Most notably, on 15 September 2022, Deputy Attorney General Lisa Monaco announced that the DoJ would further delineate incentives for businesses that voluntarily disclose misconduct, and that voluntary self-disclosure policies would be part of every DoJ component that prosecutes corporate crime (www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement). This approach was formalised in an accompanying memorandum directing every DoJ unit that prosecutes corporate crime to implement a self-disclosure policy (www.justice.gov/media/1245451/dl). 

The point was re-emphasised in a speech on 17 January 2023 from Assistant Attorney General Kenneth Polite, who stated that voluntary self-disclosure is the clearest path to the greatest incentives that the DoJ can offer, and that failing to self-report, remediate and co-operate can lead to "dire consequences” (www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-georgetown-university-law).

On 22 February 2023, the DoJ formally announced a voluntary self-disclosure policy applicable to all of its prosecuting offices nationwide (http://www.justice.gov/usao-edny/press-release/file/1569406/dl). It details both the standards for what constitutes a voluntary self-disclosure and the benefits that can be obtained. A self-disclosure will only be deemed voluntary if it is made before an imminent threat of disclosure or government investigation, and promptly after the business becomes aware of the misconduct. The burden, as always, is on the business to demonstrate timeliness. 

The DoJ has widely publicised the cases where businesses have obtained declinations (where the authorities decline to prosecute the matter) based on self-disclosures as means of demonstrating the benefits of self-reports, which are, principally, avoiding a criminal resolution and mitigating or eliminating associated penalties. That said, there have only been ten such declinations since the beginning of 2019 under the DoJ’s corporate enforcement policy, suggesting that the decision of whether to self-report in the timeframe required when an issue arises remains a complicated one for businesses (www.justice.gov/criminal/criminal-fraud/file/1562831/dl?inline).

While the DoJ’s self-disclosure programme arose out of the prosecution of Foreign Corrupt Practices Act of 1977 (FCPA) violations, these declinations have not been limited to FCPA matters or to the DoJ’s fraud section. For example:

• In April 2024, the DoJ declined to prosecute a company for fraudulently representing that its products met federal safety performance standards (www.justice.gov/criminal/media/1348111/dl?inline). The company had self-disclosed the issue within weeks of an employee raising a concern during an internal audit. 
• In October 2023, the DoJ declined to prosecute a healthcare company for submitting fraudulent payment claims under the US Medicare Advantage programme (www.justice.gov/d9/2023-10/doj-with-bt-signature-executed.pdf). 
• In May 2024, the DoJ’s National Security Division announced its first declination under its own self-disclosure policy of a US biochemical company that disclosed employee misconduct relating to exports to China (www.dhs.gov/hsi/news/2024/05/22/ringleader-company-insider-plead-guilty-defrauding-biochemical-company-diverting). According to the DoJ, the company had self-disclosed the misconduct within a week of obtaining counsel to conduct an internal investigation and well before the company had a complete understanding of the potential misconduct.

In these and other cases, the businesses were required to disgorge the financial benefits that they had obtained from the misconduct but did not have to pay further criminal penalties.

Whistleblowing in the US

On 1 August 2024, the DoJ launched a three-year pilot programme (the pilot), which is focused on financially rewarding whistleblowers in order to incentivise reporting of misconduct (www.justice.gov/criminal/criminal-division-corporate-whistleblower-awards-pilot-program).

While the pilot does not require whistleblowers to report their concerns internally before reporting them to the DoJ, this is heavily encouraged as prior internal reporting is taken as a positive factor when calculating the whistleblower award. Whistleblowers who report internally have 120 days to report to the DoJ to be eligible to receive a monetary award. 

If a whistleblower makes both an internal report to the business and a submission to the DoJ before the business self-reports, the business can still take advantage of the applicable voluntary self-disclosure policy. However, it can only do so if it self-reports within 120 days after receiving the whistleblower’s internal report and otherwise meets the requirements of the voluntary self-disclosure policy. This creates a further incentive for businesses to consider whistleblower reports promptly and decide whether to self-disclose. 

M&A transactions 

As a further expansion in incentivising businesses to seek compensation from individual wrongdoers, the mergers and acquisitions (M&A) safe harbour policy addresses voluntary self-disclosure in the M&A context (www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self). 

It provides that an acquiring business will have an opportunity to avoid prosecution if it voluntarily self-discloses misconduct at an acquired entity to the DoJ within six months of the closing of an M&A transaction, regardless of whether the misconduct was discovered during pre-acquisition due diligence or only after the transaction closed. This is only available if the business can demonstrate full co-operation and that it has remediated the misconduct within a year of the transaction closing.

The decision to self-report

There is no legal requirement to report bribery or fraud to either the SFO or the DoJ: self-reporting is a commercial decision for the business, balancing the benefits and risks on the facts in question and, in particular, the scale of the potential issue and the risks of it otherwise being reported or publicised (see box "Reaching the decision to self-report"). In the UK, a business may have other reporting obligations, for example to the Financial Conduct Authority or the need to seek consent from the National Crime Agency (NCA) in relation to dealing with potentially tainted funds, which mean that the SFO is likely to be aware of the matter in any case.

Given the continuing global increase of enforcement actions in relation to bribery and fraud, enhanced international co-operation between authorities, and the move towards DPA systems in more jurisdictions, an organisation that is considering whether or not to self-report needs to ensure that it considers the risks and benefits of doing so on a global basis and with a clear understanding of regulators’ likely expectations as to further co-operation (see box "Self-reporting in Canada, the EU, Singapore, South Africa and The Netherlands"). Where there is a cross-border exposure, mandatory reporting in one jurisdiction may make the decision on self-reporting in others: ensuring synchronised and consistent messaging in these situations is very important.

Individual directors and senior managers also need to consider carefully their own position and potential criminal and civil liability, and act appropriately in the circumstances (see "Considerations for individuals" below). An organisation needs to ensure that any self-report is made to the relevant authorities quickly enough to gain co-operation credit or, in the US, to qualify for reduced penalties or a declination, or a deferment of prosecution in other relevant jurisdictions. There is always a tension between self-reporting sufficiently quickly and the need to investigate an allegation to determine whether to report and, if so, what to report.

The UK position

Under English company law, directors have to consider the best interests of the company as a whole when making decisions. Directors must act in the way that they consider, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole (section 172(1), Companies Act 2006). This includes a consideration of the likely consequences of any decision in the long term and the desirability of the company maintaining a reputation for high standards of business conduct.

In deciding whether or not to self-report, therefore, the directors have to weigh up the potential benefits and risks of self-reporting. Benefits include:

• The potential to secure a DPA.
• The reduction in financial penalties.
• Potential long-term reputational advantages.

Possible risks include:

• The potential damage to the company’s share price resulting from an announcement of an external investigation.
• Additional investigation and remediation costs.
• Business disruption.
• Senior management changes that may be required.
• A failure to secure a DPA, and therefore the likelihood of prosecution.
• Potential civil litigation. Civil litigation arising out of bribery issues is well established in the US and is increasing in the UK and other jurisdictions

Many businesses that self-report to the SFO do so primarily in order to increase the likelihood of securing a DPA, which:

• Avoids a corporate criminal conviction and any resulting unwanted consequences, such as likely debarment from tendering for public procurement contracts. A conviction under section 1 of the 2010 Act, for example, results in automatic debarment.
• Is likely to lead to a quicker resolution of the matter as compared to a prosecution.
• Should lead to a reduction in any fine so that it is at least no greater than the fine that a court would have imposed following conviction after a guilty plea.

The SFO’s guidance on DPAs makes clear that voluntary self-reporting is a key feature of the profile of a case suitable to qualify for a DPA (www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/deferred-prosecution-agreements/). However, while self-reporting is a significant factor in determining whether or not a DPA is offered, failure to do so is not a bar. Other relevant public interest factors are taken into account, such as a history of similar conduct, including prior criminal, civil and regulatory enforcement actions against the organisation or its directors, partners or majority shareholders, and whether the conduct alleged is part of the established business practices of the organisation. 

In the Airbus DPA, the judgment approving the DPA commented that although self-reporting was delayed because it was effectively forced to report due to the threat of imminent disclosure by a third party, the co-operation provided by Airbus was exemplary. Similarly, in the Entain DPA, despite there being no initial self-report, the company was praised for its level of co-operation, including the extent of material voluntarily produced to HM Revenue & Customs, which was described in the judgment as being “akin to self-reporting”.

The decision on whether to approve a DPA will ultimately be determined by the court, having considered public interest factors as well as the engagement and co-operation of the organisation. In appropriate circumstances, self-reporting may also lead to no criminal action being taken, although it is likely that the SFO will undertake some level of investigation in any case and require the organisation to provide a significant amount of information and material.

The US position

The DoJ's corporate enforcement policy starts with the proposition that an organisation will receive a prosecution declination if it self-discloses, co-operates with the investigation and remediates in a timely fashion. If a declination is not warranted due to aggravated circumstances or other factors, a self-disclosing organisation can still qualify for a penalty reduction of up to 75% below the low end of the applicable fine range and can generally hope to avoid the requirement of a corporate monitor. These are substantial benefits. That said, a co-operating organisation that does not voluntarily self-disclose can still hope to obtain a DPA and a penalty reduction of up to 50% below the applicable range, depending on the facts and circumstances. 

The number of reported declinations is still low and the current iterations of the DoJ’s policies are still relatively new. Understanding how quickly an organisation must make a disclosure after receiving a report or allegation of misconduct remains a difficult question. The reported declinations suggest that this is a decision that will almost certainly have to be made before an internal investigation can be conducted, often within weeks if not sooner. 

Once a disclosure is made, the organisation must be prepared to commit to fully co-operating with the investigation and remediating the misconduct in a timely fashion, otherwise the value of the self-disclosure will be lost. This means that organisations need to be fully forthcoming with information, commit to updating their existing compliance programme, disgorge the profits from the affected transactions, and terminate the contracts of those employees and executives who are responsible for the misconduct. Whether the organisation is prepared to make these commitments needs to be assessed and understood before a decision to self-disclose is made.

Given the uncertainty around how quickly a disclosure must be made for the DoJ to consider it voluntary, it remains important to note that the DoJ policies are just that: policies. They are not regulations with the force of law, and do not create any enforceable rights or provide any ability for recourse if the DoJ chooses to deviate from them. An organisation therefore has little recourse to the courts to challenge the prosecutor’s discretion if the DoJ denies an expected benefit from a self-disclosure. The DoJ alone determines whether a given disclosure is, in fact, voluntary. Accordingly, while the recent spate of corporate enforcement policies in the US provide greater clarity in many respects, considerable uncertainty remains.

In addition, receiving a declination from the DoJ will not necessarily preclude civil enforcement actions being taken against the disclosing organisation. The Securities and Exchange Commission (SEC), for example, frequently pursues parallel civil enforcement actions that will not necessarily be settled by a resolution under the DoJ's Corporate Enforcement Policy (https://www.justice.gov/criminal/criminal-fraud/file/838416/dl). Public companies that are considering making a disclosure to the DoJ must also consider simultaneous disclosures to the SEC and be prepared for additional penalties and remediation requirements beyond the DoJ.  

Leap into the unknown

One of the great difficulties in assessing whether or not to self-report is the uncertainty as to whether self-disclosure will result in a DPA in the UK, or a DPA or a declination in the US. This uncertainty exists in both jurisdictions, although to different extents. Historically, in the UK, it used to be the case that a business which self-reported was likely to receive only a civil sanction. However, the SFO’s guidance on self-reporting makes it clear that self-reporting is no guarantee that a prosecution will not follow (www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/corporate-self-reporting/). In addition, recent practice shows that self-reporting is not necessary in order to obtain a DPA, however extensive the co-operation with any investigation.

In comparison, the US historically took the position that there was no guarantee of a declination or a DPA even where an organisation made a voluntary self-disclosure, but the adoption of the DoJ's Corporate Enforcement Policy  provides greater certainty that an organisation should receive a declination or a DPA. Neither the SFO nor the DoJ consider self-reporting to be sufficient in itself to achieve a DPA in the UK or, in the US, a DPA or a declination. It is only the first stage in the extensive co-operation that will be required, the terms of which will be unknown at the time of the self-report.

In both the US and the UK, self-reporting starts a process over which the organisation has little control and which, if it does not co-operate to the prosecutor’s satisfaction, may put it in a worse position than it started in, particularly given that it may have disclosed an issue which may otherwise not have come to light or provided material to the prosecutor that it might not otherwise have obtained. Reporting to one regulator may also bring a matter to the attention of other regulators both in that jurisdiction and other jurisdictions.

There are also considerations unique to each jurisdiction that increase the uncertainty associated with self-disclosure. For example, in the UK, court approval is required for a DPA, so even if the SFO recommends a DPA after extensive co-operation, the court may reject it. 

While judicial approval is not required for a declination or a DPA in the US, uncertainty arises in connection with the significant leeway that US prosecutors have to withhold the benefits under the various corporate self-disclosure policies even after an organisation has self-disclosed. In addition, the requirements for timely disclosure in the US may mean that decisions regarding disclosure will need to be made quickly and with imperfect information, which raises the risk that the benefits of disclosure may not be granted (see "US timing requirements" below).

Considerations for individuals

In the UK, individuals, including directors, may be exposed to the risk of committing money laundering offences in relation to funds that are potentially the proceeds of crime, for example, the proceeds of potentially tainted contracts, unless they obtain consent from the NCA to take decisions in relation to those funds under section 338 of the Proceeds of Crime Act 2002. Where these individuals are senior managers, the organisation may now also find itself liable for these offences if it does not obtain consent. The NCA may then report the matter to the SFO. UK directors should also take advice on their own duties and liability if contracts that were potentially obtained by corruption are ongoing and the counterparties to those contracts are not informed that corruption may have been involved. 

In the US, individuals are also subject to potential liability. The DoJ's Corporate Enforcement Policy  makes clear that, in order to qualify for voluntary disclosure credit, an organisation must disclose all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law. The language is broad enough that organisations must disclose information regarding any potential criminal conduct, not just FCPA violations, if seeking to make a voluntary disclosure.

Considering that conduct that potentially violates the FCPA could also be covered by a number of other US statutes, ranging from wire and mail fraud to Travel Act or tax law violations, individuals and companies must keep in mind that voluntary disclosure of possible FCPA violations may open the floodgates to other criminal liability.

Organisations must be ready to make current and former directors, officers, employees and agents available for interviews with the DoJ if requested. This requirement covers persons outside of the US who might not otherwise be subject to US jurisdiction and, where possible, third parties. Since disclosure must be made at an early stage in the US, organisations must be prepared to make this level of disclosure without full knowledge about the extent of an individual's involvement or the individual's exposure to liability.

Documenting the decision

Organisations need to consider how they will decide to make a self-report. 

UK. It is essential that any decision on self-reporting is taken by directors who are independent from the underlying allegation and that the decision is properly considered with appropriate advice and documented. Whatever decision is made, a board needs to ensure that the matter is investigated and appropriate remediation steps are taken to minimise ongoing criminal, civil and reputational risks, and that it avoids the perception of having suppressed the matter.

Failing to respond properly to a potential bribery issue will make it very difficult to obtain any credit, or make out a defence of adequate procedures under section 7 of the 2010 Act or reasonable procedures under the new failure to prevent fraud offence, and will expose the directors to the risk of litigation whether or not they were involved in the underlying issue. The conduct of internal investigation by in-house lawyers has recently been the subject of guidance by the Law Society following concerns about independence (www.lawsociety.org.uk/topics/in-house/in-house-practice-regulatory-requirements; see feature article "Internal investigations: the case for independence", www.practicallaw.com/w-044-3750).

In making a decision regarding self-reporting, businesses must take care to ensure that any internal investigation is conducted properly, and be conscious that the decisions made as a part of that investigation may be opened to external scrutiny. 

US. The DoJ's Corporate Enforcement Policy explicitly requires businesses to provide all relevant facts that were gathered during their independent investigation to the DoJ, even when not specifically asked to do so. Investigating an allegation but then choosing not to disclose it in a timely manner virtually guarantees that the DoJ will refuse to provide any credit for disclosures made later, as can be seen in the case of Panasonic Avionics Corporation's DPA (www.justice.gov/criminal/criminal-fraud/file/1058571/dl).

Beyond disclosure to law enforcement agencies, businesses may also be obliged to release internal investigation records to the public, especially where the business concerned is a public company.

When to self-report

Both the DoJ and the SFO require a self-report to be made within a reasonable time and before they are aware of the matter in question.

UK timing requirements

In the UK, the SFO's and CPS's Code of Practice on DPAs (the Code) states that co-operation involves reporting offending otherwise unknown to the prosecutor within a reasonable time of the offending coming to light (www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf). In addition, voluntary self-reporting must be made without the threat of imminent disclosure by a third party or compulsion.

The SFO's guidance on self-reporting, which echoes the position set out in the Code, confirms that organisations wishing to be considered for a DPA should self-report wrongdoing within a reasonable time of those suspicions coming to light. However, the question of what constitutes a reasonable time has not been made clear.  

In the Airbus DPA, failing to self-report at the time the conduct took place in 2007 and 2008 and only reporting in April 2016 was seen as an aggravating factor as the judgment approving the DPA noted that it would be more difficult to investigate and prosecute individual offenders. 

When the DPA regime was first introduced it was suggested that initial reports of suspected criminality should be notified to the SFO as soon as discovered. However, more recently, it has been acknowledged that it is unrealistic to expect a business to report at the very moment that it first becomes aware of potential wrongdoing and that it is reasonable for businesses to investigate allegations of misconduct before reporting.

The longer that is taken, however, the greater the risk that disclosure by a third-party becomes imminent, which potentially robs the business of the credit for a voluntary self-report. Ensuring that the business is in a position to make an informed decision whether to self-report as soon as practically possible is therefore key.

US timing requirements

The US requirement that organisations must report before an immediate threat of disclosure or government investigation is perhaps the most opaque element of the DoJ's Corporate Enforcement Policy for organisations that are considering voluntary disclosure. Any amount of public information from any source could disqualify an organisation from receiving any credit for disclosure, even if that information is not easily accessed or readily available, or the organisation is not otherwise aware of it. While the most recent policy developments relating to whistleblowers and M&A transactions provide some more concrete time parameters, much is still unclear.

Worse still, the "imminent threat" language could disqualify disclosure by an organisation even where no public information exists at the time of the disclosure; if the DoJ determines that the information might have become known, it can reject a declination under the current policy framework and pursue a prosecution.

In addition, the "government investigation" language means that it is possible for credit to be denied if a government investigation, even one in secret, began before disclosure, despite the fact that it would have been impossible for an organisation to know this information.

Organisations therefore have a very narrow window, likely to be weeks, rather than months, for self-reporting any violation in order to receive a declination. This compressed timeline may require organisations to make decisions on self-reporting based on substantially incomplete information.

Next steps

Once a decision to self-report has been made, the business must meet certain specific requirements. The SFO's guidance on self-reporting states that a self-report must include any internal investigation reports, supporting evidence such as emails and banking evidence, and witness reports. In practice, where a self-report needs to be made quickly, it may make sense to notify the SFO quickly and informally and then follow up with further material.

The DoJ’s Corporate Enforcement Policy means that businesses face significant additional requirements to qualify for full co-operation. Beyond full and timely disclosure of all relevant facts, they must also proactively co-operate and disclose information even if not asked, collect and preserve relevant documents, engage in de-confliction of internal investigations where asked (that is, defer interviews of employees and other internal investigatory steps until the government has completed its investigation), and make current and former employees and officers available for interviews.

Consistent with the September 2015 USA Yates Memorandum on individual accountability for corporate wrongdoing, the DoJ's Corporate Enforcement Policy requires a self-disclosure to include details of all individuals involved in the violation of law (www.justice.gov/d9/pages/attachments/2015/09/10/individual_accountability_for_corporate_wrongdoing_dag_memo2.pdf). Considering that reports may need to be made based on imperfect information due to the importance of timeliness of reporting, there is therefore a challenging balance to be struck between timely self-reporting and ensuring the accuracy of what is being disclosed. 

Co-operation does not end at self-reporting or the provision of information and data. To receive co-operation credit, companies must take proactive measures to:

• Understand the issue, demonstrating that they have analysed and addressed its root causes, including dealing with employees at fault.
• Remediate the issue, including by making efforts to clawback compensation from implicated employees and executives, where possible.
• Implement an effective compliance programme to seek to prevent a repeat.

These steps must be taken in a timely manner and cannot wait until the conclusion of the investigation. 

Andrew Reeves and Stuart Neely are partners, Thomas Hubbard is a senior associate, and Dani Bass is an associate, at Norton Rose Fulbright LLP.

Reaching the decision to self-report

Some of the key considerations for multinational businesses to take into account when considering whether to self-report economic crimes such as bribery include:

• Weighing up carefully the benefits and risks of self-reporting in all relevant jurisdictions.
• Understanding that it may be necessary to self-report bribery and other corporate offences quickly and likely before an internal investigation can be completed in order to gain credit for doing so. Businesses must be mindful that whistleblowers are increasingly incentivised to report concerns directly to the authorities. Preliminary investigations should therefore be conducted as quickly as possible.
• Bearing in mind that extensive co-operation is likely to be required, since self-reporting is neither necessary nor sufficient to obtain a deferred prosecution agreement in the UK or the US.
• Taking the appropriate steps to investigate and remediate the underlying issues to manage risks for individuals and the business in the future. This action will be required whether or not an organisation decides to self-report.

Self-reporting in Canada, the EU, Singapore, South Africa and The Netherlands

Global organisations must take account of the increasing number of jurisdictions that are moving towards deferred prosecution agreements (DPA) and other self-reporting procedures.

Canada

Canada does not have a broad legal requirement obliging organisations to self-report criminal offences, including for bribery offences of either domestic or foreign public officials. 

Reporting entities that are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which include financial institutions, are required to report certain suspicious activities to Canada’s financial intelligence unit, the Financial Transactions and Reports Analysis Centre of Canada. Suspicious transaction reports (STR) must be filed when there are reasonable grounds to suspect that there is a financial transaction related to the commission of money laundering, a terrorist activity financing offence or sanctions evasion (https://fintrac-canafe.canada.ca/guidance-directives/transaction-operation/str-dod/str-dod-eng). Non-compliance may result in criminal charges or civil administrative monetary penalties.

In respect of corruption offences, voluntary self-reporting can be beneficial for organisations that discover misconduct. A self-report is made to the sensitive and international investigations unit of the Royal Canadian Mounted Police, which investigates the matter and then works with the Public Prosecution Service of Canada (PPSC). 

The PPSC is required to consider whether the organisation voluntarily self-reported as one of the nine factors when determining whether to issue an invitation to negotiate a remediation agreement, which is similar to a DPA in other jurisdictions (Criminal Code of Canada, section 715.32 (2)(a)). It is therefore an important consideration when determining whether to voluntarily self-report conduct, although it does not result in an automatic reduction in penalty.

EU

Since 2021, the European Public Prosecutor’s Office (EPPO) has investigated and prosecuted crimes affecting the financial interests of the EU. There are no specific requirements or guidelines regarding self-reporting to the EPPO. However, Regulation 2017/1939/EU indicates that guidelines on simplified prosecution agreements will be established, which could potentially include provisions on self-reporting. For businesses in the EU, this is an important development to monitor, as it could, in the future, offer the option of reporting offences either nationally or to the EPPO, depending on what is more beneficial based on the jurisdictional and factual circumstances.

Singapore 

There is no express legislative requirement on businesses or financial institutions to self-report bribery generally in Singapore, except in relation to a limited number of bribery offences involving public servants under the Penal Code 1871. These offences relate to the following conduct: 

• A public servant taking a reward other than legal remuneration in respect of an official act.
• A person taking a reward in order to influence, by corrupt or illegal means, a public servant.
• A person taking a reward for the exercise of personal influence with a public servant.

Any person who becomes aware of the commission of, or the intention of any other person to commit, one of these offences must immediately report it unless there is a reasonable excuse not to do so (section 424, Criminal Procedure Code 2010).

In addition, Singapore’s primary anti-money laundering legislation, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, imposes reporting obligations on persons who know, or have reasonable grounds to suspect, that any property represents the proceeds of criminal conduct, or was used, or was intended to be used, in connection with any act constituting criminal conduct. Criminal conduct includes acts of bribery under both the Prevention of Corruption Act 1960 and the Penal Code 1871. These reporting obligations may be fulfilled by filing an STR as soon as is reasonably practicable after the relevant knowledge or suspicion comes to the person’s attention.

There is no process under Singapore law by which organisations may file an STR and seek consent from the authorities to proceed with the intended transaction. The organisation would therefore have to assess the risk of being found to have committed a money laundering offence if it were to proceed with the transaction.

The self-disclosure of violations is likely a factor that the public prosecutor will take into account in assessing whether to enter into a DPA with an organisation to resolve corporate misconduct under the DPA regime.

South Africa

The concept of DPAs in South Africa is a relatively new one. In early 2024, the National Prosecuting Authority (NPA) introduced the corporate alternative dispute resolution (CADR) policy to address cases of serious corporate corruption and related offences. The CADR policy establishes a framework for diverting cases against businesses away from criminal prosecution to alternative resolutions, emphasising corporate accountability and compliance. A critical component of this framework is the role of self-reporting and voluntary disclosure of misconduct by organisations.

The CADR policy outlines several principles that the NPA will apply in taking a decision not to prosecute an organisation and to use CADR instead. These include legality and rationality, for example promoting corporate accountability, public interest guided discretion (including voluntary and effective disclosure by a business, co-operation by the business with investigations, and willingness by the business to implement and monitor an effective compliance programme) and transparency. 

The CADR policy also outlines the criteria that the NPA will consider to determine whether the use of corporate ADR would be in the public interest. 

In April 2024, the Prevention and Combating of Corrupt Activities Act 2004 was amended to include a failure to prevent corrupt activities offence, whereby organisations are guilty of an offence if a person associated with that organisation gives, or agrees to give, any prohibited reward, for example a bribe, to another person, in order to obtain or retain business for, or an advantage in the conduct of, that organisation. There is a defence of “adequate procedures”, similar to the one that applies in the UK's failure to prevent fraud offence. Where a business may be liable for this new offence, the NPA will likely give increased consideration for self-reporting in an effort to drive corporate ADR. 

The Netherlands

The Netherlands does not have a broad legal requirement that obliges businesses to self-report criminal offences to the Dutch Public Prosecutor’s Office (DPPO), except in the context of anti-money laundering. Under the Dutch Money Laundering and Terrorist Financing Act, in-scope persons and organisations are required to report unusual transactions to the Dutch Financial Intelligence Unit within 14 days. Different objective and subjective factors are relevant to decide whether a transaction is unusual; for example, if a bank has good reason to believe that it is related to money laundering or terrorist financing. Failing to report an unusual transaction when required to do so is a criminal offence.

On 22 November 2024, the DPPO has released a new policy outlining the framework for self-reporting and cooperation by legal entities involved in potential criminal offences which will enter into force on 1 January 2025. This move aligns the Netherlands with practices followed by other jurisdictions, such as the US, UK and Canada and addresses recommendations made the the Organisation for Economic Co-operation and Development  (OECD) Anti-Bribery Working Group. Specifically, the OECD has urged the Netherlands to establish clear policies and guidelines on self-reporting, detailing the procedures for making such reports, the level of cooperation expected, and how self-reporting will be considered in enforcement and sanctioning decisions, particularly in foreign bribery cases.¹ 

The DPPO’s guidance outlines the conditions under which a prosecutor may reduce fines for legal entities (not for individuals) that self-report possible criminal offences and/or fully cooperate in a criminal investigation. Key points include:

• Self-reporting and cooperation: The DPPO policy introduces a potential fine reduction of up to 50%, divided equally between self-reporting and cooperation. 
  • Self-reporting: Legal entities that voluntarily and promptly self-report potential criminal offences may qualify for a 25% reduction, provided the disclosure is complete, timely, and presented in a clear, structured manner. To meet this standard, organizations must include all relevant evidence and disclose all known offences within their sphere, including the individuals and assets involved. 
  • Cooperation: An additional 25% reduction may be granted for full cooperation during investigations. Cooperation includes proactively providing evidence, ensuring employee availability for interviews, and preventing interference with evidence or witnesses
• Exploratory discussions: Legal entities can seek (anonymous) preliminary discussions with the DDPO to determine if their self-reporting and cooperation fall under the guidance.² 

Voluntary self-reporting can still be beneficial for businesses that discover misconduct by themselves or through their employees. The DPPO is required to consider voluntary self-reporting as one of six factors when determining the penalty amount in the context of a non-trial resolution. In the past, some businesses have received a 25% reduction in the penalty amount due to their voluntary self-reporting of misconduct to the DPPO (www.prosecutionservice.nl/latest/news/2021/04/28/econosto-mideast-econosto-eriks-cmk-and-mammoet-salvage-reach-settlement-agreements-with-the-netherlands-public-prosecution-service).