In our Quarterly Review, we bring you important UK developments relating to business crime, investigations, and regulatory enforcement from the last three months. 

Everything we include in our quarterly digest has a potential impact on business in the UK – both large and small. This has been an evolving spectrum of law and regulation for 30 years, and, as we come to the end of this extraordinary and difficult year, we can only speculate on the extent to which the pandemic will change the way we do business and the consequences on law and regulation. We continue to include the core topics you would expect to see, and we also include developing areas of interest on business and human rights that the English courts are presently grappling with. The role of the compliance function will also continue to widen with a greater emphasis on culture and ethics beyond the strict requirements of law and regulation. We are grateful for the positive feedback received on our Quarterly Review, and we wish you all well for 2021. 

UK Government asks Law Commission to review corporate laws on economic crime: In January 2017, the UK Government launched a Call for Evidence following concerns that the current criminal law regime does not provide a robust framework for successful prosecutions of corporate entities for economic crimes. On 4 November 2020, the Government reported that the evidence submitted was inconclusive, and further investigations are required before any legislative reforms are made. In light of this finding, the Government called the Law Commission, a UK statutory independent body, to draw up proposals to review corporate financial crimes. An options paper from the Law Commission will be published in late 2021 in which the Commission will analyse how effective the current laws are and will provide recommendations on legislative reforms. This suggests that we expect further delays to anticipated reforms for corporate crimes, which may come into force as late as 2023.

Serious Fraud Office (“SFO”) publishes guidance on Deferred Prosecution Agreements (“DPA”): In October 2020, the SFO published its internal guidance on DPAs by amending its SFO Operational Handbook. The published guidance largely reflects the messages that have emerged from the nine DPAs approved so far but nevertheless provides more useful direction on what corporates and their advisers must understand if they wish to enter into a DPA with the SFO and avoid criminal conviction. Cooperation and remediation remain key factors, with considerable weight being given to a “genuinely proactive approach”, and the waiving of privilege is considered an important part of such cooperation. Parallel investigations across agencies and jurisdictions remain a growing trend but still a situation in which a DPA may be considered.

Whilst a full monitorship has not yet been imposed under any DPA, the published guidance makes it clear that this remains a possibility in the SFO’s arsenal, alongside less onerous alternatives such as an external reviewer (which was imposed as part of the SFO’s eighth DPA). Under the terms of a DPA, it will normally be fair, reasonable, and proportionate for a financial penalty to be imposed as well as other monetary obligations.

SFO’s DPA with Airline Services Limited (“ASL”): The High Court has approved the SFO’s ninth DPA on 30 October 2020. The DPA concludes five years of investigations and negotiations following ASL’s self-report to the SFO in 2015. The indictment comprises three counts of failing to prevent bribery contrary to section 7 of the Bribery Act 2010. ASL’s agent exploited commercially sensitive information about potential competitors to secure three contracts to refit commercial air liners, with a total value of £7.3 million. ASL, which is now a non-trading entity, has agreed to pay nearly £3 million in financial penalties, disgorgement of profits, and costs under the terms of the DPA. Approving the DPA, Mrs Justice May considered that ASL’s cooperation, self-reporting, the nature of the conduct, and remedial action taken meant that a DPA was in the “interests of justice”. ASL achieved the maximum 50% discount to the fine in light of these factors.

SFO Director calls for extension of “failure to prevent” laws: Speaking at the Royal United Services Institute on 8 October 2020, the SFO Director, Lisa Osofsky called for “failure to prevent” offences to be extended to fraud offences. The “failure to prevent” laws in the UK currently apply to bribery and tax evasion and operate to create direct liability for a company where a person acting for or on behalf of a company is found to have facilitated bribery or tax evasion, and the company failed to prevent such offence. Importantly, “failure to prevent” offences circumvent the traditional challenge of attributing criminal liability to companies by proving that the individuals involved are sufficiently senior to be the “controlling mind and will” of the company.

SFO success in relation to Unaoil and Petrobras bribery cases: The SFO made two noteworthy announcements connected to high-profile corruption scandals during the last quarter.

In October 2020, the sentencing of a former Unaoil executive was announced, following his guilty plea in 2019 to conspiracy to give corrupt payments in relation to oil pipeline construction projects in Iraq. Basil Al Jarah was sentenced to three years and four months’ imprisonment, after conspiring to pay around US$20 million in bribes to Iraqi public officials to secure contracts worth US$1.7 billion. Al Jarah received a reduced sentence as he cooperated with the SFO investigation, but he was noted to have played a central role in the bribery, due to his strong business connections and an apparent ability to exploit them.

In November 2020, the SFO announced it had successfully secured almost £1.2 million from an individual implicated in Brazil’s “Operation Car Wash” scandal, which revealed widespread corruption in the Brazilian oil industry. The individual, Julio Faerman, was suspected by the SFO to have purchased a luxury West London apartment from the proceeds of his criminal conduct. Faerman was investigated by the SFO after admitting to bribery in his native country of Brazil in connection with the Brazilian corruption scandal. The SFO’s investigation scrutinised his £4.25 million flat in London, as well as certain of his offshore bank accounts and companies. Faerman ultimately entered into a settlement with the SFO, under which he will be required to pay almost £1.2 million to have his property released from a freezing order.

These two announcements represent further successes for the SFO late in 2020. The SFO has reiterated its commitment to holding individuals, and not only corporates, accountable for their roles in bribery scandals. It has also stated it will continue to investigate, confiscate, and recover criminal assets held in the United Kingdom.

SFO first listed asset order: In September 2020, the SFO used a Listed Asset Order (“LAO”) for the first time. LAOs allow law enforcement agencies to seize, detain, and forfeit certain valuable items of personal property if they have reasonable grounds for suspecting that such “listed assets” have been obtained unlawfully. Listed assets include precious metals and stones, watches, artistic works, face-value vouchers, or postage stamps. LAOs are a significant example of the SFO utilizing new statutory powers incorporated into the Proceeds of Crime Act 2002 by section 15 of the Criminal Finances Act 2017.

In this case, the SFO used an LAO to successfully recover £500,000 worth of jewellery, including necklaces, Rolex watches, and rings, on the basis that such assets were believed to have been purchased with the proceeds of crime from a mortgage fraud case. Although this is the first time the SFO has used an LAO, the National Crime Agency (“NCA”) used an LAO in 2019 to seize a ring worth £1 million. The SFO indicated that it will continue to use the full range of powers available to it in order to seize proceeds of crime.

SFO and the Financial Services Compensation Scheme (“FSCS”) team up to stamp out serious and complex fraud: On 19 November 2020, the FSCS and SFO signed a memorandum of understanding (“MOU”) to facilitate the investigation and prosecution of serious and complex fraud. Whilst the SFO is already charged with investigating serious and complex fraud, the FSCS’s role is to protect consumers of regulated financial services firms in the UK when they fail. The MOU formalises ways of sharing information to assist both agencies to perform their respective functions. The MOU also provides for additional cooperation, including sharing subject-matter expertise and supplying witness statements, expert advice or oral evidence for use in court, or tribunal proceedings.

NCA achieves first successful use of Unexplained Wealth Order (“UWO”): A suspected money launderer has agreed to forfeit nearly £10 million worth of assets to the NCA. Mansoor Mahmood Hussain and the NCA reached a settlement on 24 August 2020, with the High Court sealing the recovery order on 2 October 2020. The NCA secured an UWO against Mr Hussain earlier this year, following a hearing in July 2019 when the agency also applied for an interim freezing order. This was the second UWO that the NCA has successfully obtained and used but the first UWO obtained solely based on an individual’s alleged involvement in serious organised crime. UWOs were introduced by the Criminal Finances Act 2017, which amended Part 8 of the Proceeds of Crime Act 2002. UWOs require the respondent to provide evidence proving how they obtained specific assets. The High Court held that there were reasonable grounds for suspecting Mr Hussain’s involvement or connection to those involved in serious crime.

Key insights from 2019/2020 Office of Financial Sanctions Implementation (“OFSI”) annual report: The UK OFSI reported that in the April 2019 to March 2020 financial year, it received 140 voluntary disclosures of potential sanctions violations with a total transaction value of £982 million, marking a significant increase on the two previous financial years. While the majority of breaches were reported by the banking and financial services sectors, an increasing number of reports were made by the legal, charity, insurance, energy, and travel sectors.

Since its inception four years ago, OFSI has only imposed four financial penalties[1], three of which were imposed during the financial year 2019 to 2020. However, OFSI has to date only imposed one multi-million pound fine  and it therefore remains to be seen whether this can truly be taken as an indicator of OFSI beginning to play a more prominent and active enforcement role.

Other notable developments highlighted in OFSI’s 2019/2020 report include the addition of 44 new designated persons to the consolidated list of asset freeze targets and a total of nearly £12.5 billion worth of assets being frozen as of September 2019. OFSI has continued its outreach and engagement efforts in order to help prepare for Brexit at the end of the transition period, publishing its autonomous UK financial sanctions general guidance in January 2020 (updated in July 2020) and guidance on Russian financial sanctions that will apply when the Russia (Sanctions) (EU Exit) Regulations 2019 come into force.

It has also almost doubled its international cooperation efforts, engaging with 83 jurisdictions during the past financial year compared to 42 in the financial year 2018 to 2019. It will be interesting to see whether OFSI benefits from the added resources and intelligence that OFSI’s international cooperation would be expected to bring.

The Information Commissioner’s Office (“ICO”) issues £20 million fine for cybersecurity data breach: In October 2020, the ICO issued a fine of £20 million under the General Data Protection Regulation (the “GDPR”) to British Airways plc (“BA”) for a data breach BA suffered in June and July 2018. The quantum of the fine was a considerable reduction from the initial figure of £183.39 million that was proposed by the ICO in its Notice of Intention in July 2019.

The breach is thought to have affected 429,612 customers and staff and saw attackers harvest information, including: customer personal data, such as name, address, and payment card details, as well as usernames and pin numbers of BA Executive Club accounts and log-in details of BA administrator and employee accounts. The ICO noted specific concerns with BA’s practices, including the fact that: (i) BA did not discover the data breach itself but was alerted to it by a third party (and it was unclear whether BA would have identified the breach itself), and (ii) BA could have taken a number of measures, at no excessive cost, to mitigate or prevent the risks of an attacker being able to access its systems, including: multi-factor authentication, more rigorous penetration testing, ensuring different passwords for different accounts, and monitoring/logging access to files on BA’s systems.

In calculating the quantum of the £20 million fine, the ICO took a starting figure of £30 million rather than the £183.39 million figure it had proposed in its previous Notice of Intention (though the ICO did not clarify how it settled on £30 million as a starting point), before scaling down the fine in light of the following factors: (i) it was not a deliberate or intentional act by BA, and BA did not make any financial gain from the breach; (ii) BA’s “good behaviour”, including having no previous infringements reported to the ICO, full cooperation with the ICO’s investigation, and prompt implementation of improvements to its IT systems to mitigate against a similar cyberattack in the future; and (iii) in light of the current public health emergency and associated economic consequences relating to the COVID-19 pandemic.

The Financial Conduct Authority (“FCA”) final notice to trader following insider dealing conviction: On 1 September 2020, the FCA issued a Final Notice against Julian Rifat, preventing him from performing any functions related to any regulated activities carried on by an authorised or exempt person or an exempt professional firm in the future. Mr Rifat had committed several offences of dishonesty. Between June and November 2009, Mr Rifat engaged in insider dealing on eight occasions when he was working at Moore Europe Capital Management, LLP as a senior trader. In his position, Mr Rifat would often receive information regarding large-scale transactions before any public announcements took place. He was also aware of the fact that he had regularly received price-sensitive information. However, Mr Rifat took advantage of his position and executed numerous trades via a professional intermediary between the time he had received the price-sensitive information and when the public announcements took place. The total value of the eight trades he placed was £285,000. On 19 March 2015, Southwark Crown Court sentenced Mr Rifat to 19 months’ imprisonment and a fine of £100,000. The FCA also determined that Mr Rifat was no longer a fit and proper person to perform any functions related to any regulated activities, stating, in its Decision Notice, that Mr Rifat’s actions constituted a “clear and serious lack of honesty and integrity”.

Pensions cold calling - £130,000 fine issued: On 10 September 2020, the ICO issued a £130,000 fine against CPS Advisory Ltd (“CPSAL”) for making 106,987 unauthorised marketing calls to individuals about their pensions. Under regulation 21B of the Privacy and Electronic Communications (EC Directive) Regulations 2003, a person may not make unsolicited calls to individuals to directly market occupational or personal pension schemes unless certain conditions apply. One important condition is that the caller must be an “authorised person” as defined in section 31 of the Financial Services and Markets Act 2000, or a person who is the trustee or manager of an occupational or personal pension scheme. This was not the case here. During its investigations, the ICO also discovered that CPSAL was engaging in questionable practices during these calls, such as making false claims that CPSAL had obtained personal information of the call recipient from a “survey” when the call recipient in question did not recall completing such a survey.

Business and Human Rights cases before the English courts: UK companies with operations overseas will be aware of a recent trend of English courts being open to consider claims of alleged violations of business and human rights (“BHR”) abroad, as we have covered in a client alert here. In the most recent BHR case of Municipio de Mariana v BHP Group Plc, the High Court appears to have set some limits on its willingness to entertain such claims. Where a case is already underway in the jurisdiction of the alleged violation and there are good reasons to believe the claimant will have a fair chance of achieving substantive justice, the English courts would be unwilling to accept jurisdiction. The High Court struck out the group action and came to the conclusion that it would “expensive, almost interminable, unfocussed, unpredictable and unmanageable” for the same case to be heard simultaneously in Brazil and England. For a full summary of the implications of this judgment, please read our Practical Law note here.

Latest Modern Slavery Act (“MSA”) developments: The UK has long been at the forefront of tackling modern slavery risks in companies’ operations and supply chains. On 22 September 2020, the UK Government consolidated its commitment to stamp out, what are often hidden, risks in its response to the “Transparency to Supply Chains” consultation. The response explores the various obligations under the MSA, and most notably, states that a single reporting deadline for modern slavery statements will be introduced, which must address specific topics (what topics should be covered will be further laid out by the Government). The Government provided further details of its mission against modern slavery in its annual report on modern slavery published on 14 October 2020. The English courts have also supported development in this area. In the case of R v Wabelua, the Court of Appeal offered useful guidance as to the court’s approach when deciding whether to make a Slavery and Trafficking Prevention Order under the MSA, following a defendant’s conviction for a slavery or human trafficking offence. English courts must be satisfied that (i) there is a real risk that the defendant may go on to commit further slavery or human trafficking offences, and (ii) the order is necessary rather than just desirable or helpful for the purpose of protecting persons.

The Financial Reporting Council (“FRC”) on climate change reporting: The FRC has published a wide-ranging thematic review (the “Review”) of climate-related considerations by boards, companies, auditors, professional bodies, and investors, which suggests the focus is well‑short of what is needed. The FRC’s focus on non-financial reporting coincides with announcements by the UK Government of more robust environmental disclosure standards for companies so that investors can better understand their risk exposure to climate change. The Review has concluded that (i) there is little evidence that business models and strategies are sufficiently influenced by integrating climate considerations into governance frameworks; (ii) an increasing number of companies are providing narrative reporting on climate-related issues, but it is unclear how progress towards these goals will be achieved, monitored, or assured; and (iii) investors support the Taskforce on Climate-related Financial Disclosures (“TCFD”). For further information, please refer to our client alert here.

Life sciences industry faces new enforcement powers in post-Brexit regulations: As Brexit is finally completed in the UK, from 1 January 2021, the Medicines and Healthcare products Regulatory Agency (“MHRA”) will be the UK’s standalone medicines and medical devices regulator. Transition from the EU has allowed the UK to offer fully independent regulatory decisions for both devices and pharmaceuticals, both nationally and in joint work with other international regulators.

The frequent changes to legislation on these issues will no longer flow through from updates at the EU level. The Medicines and Medical Devices Bill (the “Bill”), which has almost completed its passage through Parliament, creates the structure for the UK Government to legislate for updates or changes to our existing laws on human and veterinary medicines, clinical trials, and medical devices at the end of the Brexit transition period in January 2021.

When the Bill becomes law, the MHRA will have several new enforcement tools at its disposal, including enforcement undertakings and civil monetary penalties. As with other UK regulators, the MHRA will have powers to choose between civil and criminal penalties for breaches of the regulations, which will apply to corporate entities but also individuals and directors. For further information, please refer to our client alert here.

We are grateful to the following team members for their contributions: MoFo associates Laura Steen, Pietro Grassi, James Colautti, Sampaguita Tarrant, Rayhaan Vankalwala, and Matt Rodin and trainee solicitors Stephanie Pong, Georgia Wright, and Tom Zheng.

[1] Details of financial penalties imposed by OFSI are available here: https://www.gov.uk/government/collections/enforcement-of-financial-sanctions

[View source.]