Horizon Scanning: Investigations and Enforcement

In this horizon scan, we focus on key developments affecting companies operating in the UK, including in light of the recent change in UK government. The key focus areas are:

• Fraud and bribery: including the upcoming failure to prevent fraud offence, changes to the new mandatory fraud reimbursement scheme, and the new Australian failure to prevent bribery offence. 
• ESG due diligence: the impact of the EU Corporate Sustainability Due Diligence Directive.
• Ever-increasing scrutiny on how internal investigations are conducted, and a focus from the SFO and US authorities on rewarding whistleblowers, encouraging self-reporting and cooperation;
• Sanctions: the impact of the new Amending Regulations and Trade Sanctions Regulations; and
• Increased early intervention from the FCA and PRA, including use of OIREQs and VREQs.

1. Fraud and bribery

The new UK government has emphasised that fraud is at the top of its financial crime agenda and we also expect to see a continued focus on international bribery and corruption.  Fraud and bribery-related developments include:

• The new failure to prevent fraud offence, which is likely to come into force in H1 2025 following the expected publication in Q4 2024 of guidance on “reasonable procedures to prevent fraud”.  At a recent panel discussion, associate general counsel for the SFO, Emma Isaac, expressed the SFO’s hope that the offence would mirror the success of the UK Bribery Act’s failure to prevent bribery offence, in particular relating to the incentives offered to those companies who self-report breaches of the offence.
  
  For more on key considerations organisations should have in mind, please see here. Importantly, the offence applies to UK and non-UK companies alike. We have also published a series of articles summarising the key elements of the offence, how companies should approach risk assessments, putting in place policies and procedures, and considerations in relation to tone from the top and training.

• The new ‘Failure to Prevent Bribery’ offence, which companies operating in Australia should be aware of. Similar to the UK Bribery Act, the only defence is having ‘adequate procedures’ in place to prevent bribery. For more on the new Australian offence of Failure to Prevent Bribery, please see here.
• The Payment Services Regulator (PSR) reimbursement scheme, which is due to introduce stringent protections for scam victims, from 7 October 2024. This was due to include a maximum threshold of £415,000 for banks and building societies to reimburse victims of fraud.  However, the rise in fraud related claims has put pressure on the PSR to reduce the maximum fraud reimbursement to £85,000 amid fears that such a high number of claims could bankrupt mid-level financial firms and institutions. For more information, please see our article here.

2. Corporate Sustainability Due Diligence Directive:

The EU Corporate Sustainability Due Diligence Directive (CSDDD) became law on 25 July 2024, with its requirements coming into effect from 2027.  As highlighted in our previous horizon scan, CSDDD introduces ESG-related due diligence obligations for certain large EU as well as non-EU companies that generate a certain level of turnover in the EU.  Please see our overview here.  

CSDDD will require in-scope companies to undertake risk-based human rights and environmental due diligence to identify and assess actual and potential adverse impacts, and (as appropriate) prevent, mitigate, bring to an end and remedy such impacts in their operations and chain of activities.  “Chain of activities” is defined to include the company’s upstream supply chain, as well as certain activities of downstream business partners related to the distribution, transport or storage of products. 

Separately, the legislative passage of the EU Forced Labour Regulation (FLR) is expected to complete later this year, meaning the FLR would enter into force in 2027.  While the FLR does not introduce any additional due diligence obligations beyond those prescribed in CSDDD, it will prohibit products made with forced labour from entry into the EU and will grant powers of investigation and enforcement to the EU Commission and EU Member States.  Both laws are likely to impact many UK domiciled companies given their extraterritorial reach and the importance of the EU as an export market.

3. Investigations and whistleblowing

We expect to see a continued increase in speak up and other internal investigations, as well as increased scrutiny of how investigations are conducted and the role of in-house counsel.  Draft SRA guidance (expected to be finalised in Q4) highlights the importance of effective internal investigations, but also the challenges and risks that they present for in-house counsel.  These risks include breaching professional duties to act independently, to treat colleagues fairly and with respect, and to act in a way that upholds public trust and confidence in the profession. For more information, please see our article here.

The SFO has signalled that it will seek to incentivise whistleblowers (and those involved in criminality) to come forward, and also said that it will provide updated guidance which sets out how it expects companies to cooperate if any criminality is suspected.  While no timeline has been given for this guidance to be published, companies should review their investigations protocols and policies for self-reporting in the meantime against the existing guidance.  The US Department of Justice, meanwhile, recently published the Corporate Whistleblowers Awards Pilot Program, which seeks to financially incentivise whistleblowers to report allegations of corporate crime.  The program also introduces a presumption of declination if corporates come forward within 120 days of an internal whistleblower report.  We have covered this in more detail here.

4. Sanctions

• OTSI has its powers: On 10 October 2024 the much awaited Trade, Aircraft and Shipping Sanctions (Civil Enforcement) Regulations 2024 (UK Trade Sanctions Regulations) comes into force, which will provide a framework for the Office for Trade Sanctions Implementation (OTSI) – the UK’s newest sanctions authority - to impose civil enforcement relating to certain trade sanctions. The powers of OTSI under the UK Trade Sanctions Regulations will include requests for information and reporting obligations on “relevant persons”, such as financial services providers and lawyers, the failure of which can amount to a criminal offence resulting in 6 months imprisonment or a fine. OTSI will also have the power to impose civil monetary penalties for breaches of trade sanctions on a strict liability basis, at a maximum of £1,000,000 or 50% of the estimated value of the breach – whichever is higher; and publish information on those breaches. OTSI is expected to follow a similar model to OFSI (the UK’s financial sanctions authority), although has stated that it will seek to learn lessons from OFSI’s approach since its creation in 2016.
• Amendments to the UK’s Russia Regulations suggest a US secondary sanctions approach to designations: In July and September 2024, the Russia (Sanctions) (EU Exit) (Amendment) (No. 3) and (No. 4) Regulations 2024 (Amending Regulations) amending the Russia (Sanctions) (EU Exit) Regulations 2019 (Russia Regulations) came into force.  The Amending Regulations have amongst other things:

1. introduced additional activities for which a person may be designated, and a ship may be specified.  The designation criteria under regulation 6 of the Russia Regulations has now been expanded to include individuals and organisations “providing financial services, or making available funds, economic resources, goods or technology” to persons who are involved with, derive a benefit from or support the Russian government; or (ii) own or control (whether directly or indirectly) persons involved in destabilising or undermining the sovereignty of Ukraine;
2. introduced additional activities for the specification of ships under regulation 57F of the Russia Regulations to include carrying dual use or military goods, oil and oil based products originating in Russia, as well as any goods that could contribute to undermine or threaten the sovereignty of Ukraine or obtain a benefit from or support the Russian government;
3. redefined the scope of regulation 54D relating to legal services and replaced the existing general trade licence, such that legal advisory services are now permitted if they relate to compliance with sanctions and criminal legislation imposed by any jurisdiction and Russian counter sanction measures.  The Amending Regulations have additionally included amendments to the definition of “legal advisory services” to exclude (i) the management of claims under insurance and reinsurance contracts, and (ii) tribunals and proceedings in any jurisdiction. The Amending Regulations have also aligned regulation 54D with the circumvention provisions contained in the Russia Regulations by providing further guidance on the degree of knowledge a person must have before the legal advisory services prohibition applies.

While it is not clear how the new designation criteria will be applied in practice, it does signal a shift in approach by the UK government as it appears to align more with the approach of recent US secondary sanctions on foreign financial institutions, which can be designated or restricted from accessing the US financial system if it is determined that they support Russia’s military-industrial base.

5. Early intervention by PRA and FCA

Following recent FCA outcomes in relation to breaches of requirements imposed by the FCA, regulated firms should be mindful of the wide powers of the FCA and the PRA, including ‘own-initiative requirement powers’ (OIREQs) and voluntary requirements (VREQs).  Given the current regulatory focus on use of supervision powers to prevent misconduct and manage risk, we are continuing to see more VREQ invitations and OIREQs with an increasingly wide range of requirements being sought and imposed.

For more detail on the considerations for firms when managing compliance with a VREQ/OIREQ, see our article here.