In our Quarterly Review, we bring you important UK developments relating to Business Crime, Investigations and Regulatory Enforcement from the last three months. Please contact us if you would like to discuss any of these issues.
The COVID-19 pandemic has had an immediate impact on all aspects of the white collar arena and the scale will only be properly understood in the months to come. That is entirely consistent with our experience over many years as global events bring recession and economic downturn. Already, the UK government and regulatory authorities have made provision such to accommodate the enforced changes in our business lives. The internal impact includes the ability to manage investigations and to comply with requirements that have suddenly become very challenging to manage. We examine some of those issues here and we will continue to monitor the impact of COVID-19 on corporates and individuals.
Cybersecurity in an era of remote working: In light of new demands imposed on organisations by the COVID-19 pandemic, the ICO and the National Cyber Security Centre (NCSC) have both issued guidance on cybersecurity considerations when working from home. The NCSC guidance highlights some of the policies and procedures that organisations should consider, including controlling access to corporate systems and the use of removable media such as USB sticks. The ICO has produced a specific checklist for organisations that covers bring your own device (BYOD) policies and considers the issues posed by remote desktops and applications, cloud storage and an increased use of email.
SFO drops more investigations: On 19 May 2020, the SFO announced that it had dropped its three-year investigation into ABB Ltd, which was linked to the Unaoil case. The SFO added that the ABB case did not pass the Code for Crown Prosecutors test, which specifies that the evidence must support a realistic prospect of conviction, and that the prosecution must be in the public interest. In June 2020, the SFO dropped its investigation into suspected corruption in South Sudan by De la Rue Group Plc, which began in July 2019. The SFO announced that following its investigation it had concluded that the case did not meet the test to commence a prosecution.
These are the latest in a series of investigations that the SFO has dropped since 28 August 2018, when Lisa Osofsky got the reigns of the SFO. In 2019, the SFO dropped 10 investigations, while it only initiated five new ones. The investigations dropped in 2019 included the long-running GlaxoSmithKline bribery investigation, and the investigation into individuals associated with the Rolls-Royce case.
The SFO has also conceded defeat in the investigation of remaining Euribor suspects. The SFO has secured some important convictions in that case over the last two years and although the SFO secured European Arrest Warrants against four German and French nationals in 2016, their extradition was refused by the German and French courts. The SFO has now withdrawn the European Arrest Warrants. It is a further example of the problems facing the SFO in extraditing individuals even from within the EU whilst a Member State.
Unexplained wealth order recently overturned in the UK but law enforcement expected to continue heavy pursuit of financial crime proceeds: The English High Court recently made clear that unexplained wealth orders (UWOs) cannot be based on inadequate investigation by law enforcement. In January 2018, the UK enforcement authorities added a new tool to their arsenals to combat financial crime in the form of UWOs. The relevant legislation allows enforcement authorities to apply for a civil remedy to compel a person who is suspected of involvement in, or association with, serious crime to provide information and documents about specific property, including the nature and extent of their interest in the property and how the property was obtained. The court may also make an interim freezing order in respect of the property to which the UWO pertains, if necessary to do so to avoid the risk that a subsequent recovery order may be frustrated. UWOs and related interim freezing orders are not, however, stand-alone remedies but are an effort to strengthen the ability of enforcement authorities to seize and confiscate assets under the Proceeds of Crime Act 2002.
The UK National Crime Agency (NCA) has utilised the availability of UWOs since they became available but in April 2020, the High Court discharged three UWOs and corresponding interim freezing orders obtained by the NCA in May 2019 in relation to three London properties allegedly purchased with illicit funds. The Court concluded that the NCA’s case for the UWOs was “flawed by inadequate investigation into some obvious lines of enquiry.” In June, the Court of Appeal rejected the NCA’s application to appeal to have the UWOs reinstated. Nevertheless, the NCA has stated that it will continue to use all legislation at its disposal to pursue suspected illicit finance. We, therefore, expect the NCA to continue to pursue UWOs where laundering of the proceeds of crime is suspected. However, as therecent High Court case shows, while it may be relatively easy to obtain an order for a UWO, enforcement authorities must still meet the evidential requirements or they will be open to a successful challenge.
London Metropolitan Police obtain largest ever cash forfeiture with an account freezing order, seizing €1.95 million: While law enforcement’s use of UWOs has come under scrutiny by the court, account freezing orders (AFOs) continue to be utilised to successfully seize the proceeds of crime. In April 2020, the London Metropolitan Police (the “Met”) announced that it obtained an AFO freezing 25 bank accounts and leading to seizure of €1,952,950.58. The Met’s two-year investigation that led to the AFO relates to members of an organised crime network in Italy allegedly using front companies and accounts based in the UK to launder money.
AFOs are available to enforcement authorities to freeze accounts for up to two years where they have reasonable grounds to suspect that an account contains the proceeds of crime or is intended for unlawful use. Once the enforcement authorities have concluded their investigation, they may obtain the right to seize the assets in the frozen account, either by issuing an account forfeiture notice or applying for an account forfeiture order from the court.
The Met is not the only enforcement agency to increase its use of AFOs in combating money laundering. HM Revenue & Customs reported in May 2020 that its use of AFOs in the year ending March 2020 had increased by 177% from the previous year. We anticipate that all enforcement agencies will continue to increase using AFOs in their investigations into illicit funds and proceeds of crime, as the regime provides a simple route to freezing and seizing assets.
The Office of Financial Sanctions Implementation (OFSI) finally bares its teeth: OFSI has announced its largest ever penalty totaling £20.47 million on Standard Chartered Bank (SCB) for breaches of EU and UK sanctions regulations by making prohibited loans to a sanctioned entity. SCB made a total of 70 prohibited loans to Denizbank A.S. (Denizbank) between April 2015 and January 2018; Denizbank being a majority-held subsidiary of Russian bank Sberbank, which is subject to restrictive measures under the EU Ukraine (Sovereignty and Territorial Integrity) regime. Of the 70 loans, 21 had a transaction value of £97 million and occurred after 1 April 2017; the date from which powers were given to HM Treasury under section 146 of the Policing and Crime Act 2017 (PACA). On realising its potential sanctions breach, SCB disclosed the matter to OFSI. SCB also carried out an internal investigation of the breaches, providing a detailed report of the investigation to OFSI and further cooperating with OFSI’s investigation. As a result of its cooperation, SCB received a 30% reduction in the imposed fine, in accordance with OFSI’s published guidance on case assessment. SCB also exercised its right to a ministerial review of the initially imposed penalty (which amounted to a total of £31.5 million). The Minister exercised his power under PACA to reduce the penalty, finding that weight should have been given to SCB’s cooperation and remedial steps taken following its breach. OFSI’s recent activity could signal a new era of serious sanctions enforcement in the UK. It also highlights the importance of corporations having internal procedures to monitor sanctions compliance effectively.
The German government is the latest jurisdiction to modernise its corporate crime enforcement regime: As reported by our Berlin colleagues, the German government presented a draft bill in April 2020 to promote integrity in business which will affect not only German corporates but also all foreign commercial enterprises operating in Germany. The implementation may not be for two or three years but it is a further sign that bribery and corporate crime are included in a trend of growing enforcement with large financial penalties for breaches.
EU-commissioned study finds increased focus on supply chain due diligence: In February 2020, the British Institute of International and Comparative Law published a study for the European Union on due diligence in supply chains. The study found that the United Nations Guiding Principles on Business and Human Rights, which sets out that the responsibility of businesses extends beyond a business’s own activities to include workers in its supply chain and in subcontracted companies, are increasingly being introduced into legal standards or proposed in Member States.
Similarly in the UK, since the introduction of the Modern Slavery Act in 2015, any company carrying out business in the UK with a total turnover of more than £36 million must publish an annual ‘slavery and human trafficking statement.’ The statement must provide the steps taken by a company to ensure its supply chain is free from slavery. In March 2020, the UK became the first country to publish a government modern slavery statement which outlines the steps that it has taken to stamp out modern slavery in its operations and supply chain. Although this relates to government spending and supply chain processes to prevent the government inadvertently supporting modern slavery, there are some useful examples of what corporations may do to also be more vigilant. English courts have recently found UK companies liable for business and human rights overseas.
Driving a purposeful business culture: The newly coined ‘Great Lockdown of 2020’ may cause many companies to make short-term profit enhancing decisions at the cost of longer-term sustainable growth. A discussion paper released by the FCA in March 2020 addresses, in a series of essays, the importance of driving purposeful business cultures in order to retain talent and maintain focus on a company’s goals. The paper, which considers the lessons learnt from the 2008 financial crisis, provides practical steps for business leaders looking to create a strong company ethos.
We particularly enjoyed the anecdote about the importance of company culture in Jonathan Davidson’s (FCA Executive Director of Supervision) introduction to the paper, where he retells the story of JFK visiting NASA in 1962 when JFK asked a janitor, ‘What are you doing?’ and the janitor answered, ‘Mr President, I’m helping to put a man on the moon’ to which Davidson adds:‘Imagine feeling that sense of purpose as an individual. And as a leader, imagine how it would feel to know that your employees feel that level of inspiration as a result of being part of your organisation.’
The FCA’s response to COVID-19: On 4 June 2020, the Financial Conduct Authority (“FCA”) issued its response to COVID-19 in a speech delivered by the FCA’s Executive Director of Supervision, Megan Butler, at a virtual event. In the speech, Butler referenced the Dear CEO letter released by the FCA on 31 March 2020, which set out a temporary ease of reporting burden for some firms to inform their investors if the value of the portfolio under their management drops by 10% or more. Butler made clear that firms must have contingency plans to deal with disruptions as a result of the pandemic and that firms must not cut corners on governance or systems of controls. Butler also noted that the FCA was looking to shift from a regulatory framework, based on rules, to one that focuses on outcomes. The speech followed proposed guidance, released by the FCA on 22 May 2020, to strengthen payment firms’ prudential risk management and arrangements for safeguarding customers’ funds in light of the coronavirus pandemic. As the pandemic continues to evolve, the FCA and other regulatory bodies in the UK will no doubt issue further guidance for firms within their regulatory scope. For a full digest of the FCA’s recent announcements, please see our MoFo FCA COVID-19 update.
Commerzbank fined by FCA for failing to put in place adequate anti-money laundering systems and controls: On 17 June 2020, the FCA announced that it had fined the Frankfurt-based Commerzbank £37.8M for failing to put adequate anti-money laundering systems and controls in place between October 2012 and September 2017. The FCA emphasised that firms operating in the UK, including branches of overseas firms, must take reasonable care to organise and control their affairs responsibly and effectively. Commerzbank was criticized by the FCA for failing to put in place adequate resources for carrying out periodic know-your-client and beneficial ownership checks. The FCA noted that by 1 March 2017, 1,772 clients were overdue updated due diligence checks and a material number continued to do business due to Commerzbank’s exceptions process which was not adequately controlled or overseen and which became “out of control” by the end of 2016. The regulator also identified major issues with the automated checks, finding that in 2015, 40 high-risk countries and 1,110 high-risk clients had not been included in the monitoring tool. Commerzbank received a 30% discount from the FCA in response to its early cooperation with the FCA. The fine serves as a reminder that firms should carefully consider the operational elements of anti-money laundering systems and controls to ensure that those systems in place are not only adequate but also enforceable by those tasked with implementing the policies.
The UK data protection regulator, the Information Commissioner’s Office (ICO), remains active but understanding in a COVID-19 world: The ICO published a paper setting out its regulatory approach to enforcement during the COVID-19 pandemic, noting that it will show some flexibility in its response – in particular, those under investigation may be granted longer response periods, and that the economic impact of a fine will be considered when setting the amount to be levied. In addition to this paper, the ICO has announced that “as a regulator we will reflect a society that is, for now, accepting restrictions on liberty to protect public health”.
The ICO has made clear that it cannot change the strict requirements of the GDPR (for example, in the context of deadlines for responding to individuals’ rights requests), but organisations might be able to take some comfort in the knowledge that the ICO will be willing to listen where the effects of the COVID-19 pandemic will either prevent strict compliance with data protection legislation, or will mean that a substantial fine could be a financially crippling one. However, there will be some give and take, and it seems that organisations will fare better when they can be seen to be doing their best to comply and/or to get back to some form of regularity in their reactions to data issues.
Return to work and workplace testing: While the ICO has indicated it will be understanding as to the complexities suffered by organisations as a result of COVID-19, it has been keen to stress that such organisations should continue to consider data protection requirements, including in the context of return to work measures and technologies. In particular, the ICO has issued guidance on workplace testing, in which it stresses that employers will need to consider data protection legislation if carrying out tests on employees, for example, to check whether employees have COVID-19 symptoms. The ICO has also issued specific guidance on the use of contact tracing (though such guidance applies primarily to the developers of contact tracing apps rather than organisations that choose to use them).
ICO issues maximum fine for a cybersecurity data breach: March 2020 saw the ICO issue the maximum fine of £500,000 (under the old Data Protection Act 1998) to airline Cathay Pacific for the contraventions of data protection principles that led to Cathay Pacific suffering a data breach that it suffered from October 2014 – May 2018. The ICO found serious inadequacies in cybersecurity, which led to 9.4 million customers’ information being released. The information included names, passport details, postal and email addresses, phone numbers, frequent flyer membership numbers, and historical travel information. Although, upon discovery of the breach, Cathay Pacific reacted swiftly by promptly engaging a cyber-security firm and self-reporting the unauthorised access to the ICO, the ICO found that Cathay Pacific had failed to take reasonable steps to prevent the contraventions, which it should have reasonably anticipated, to both occur and cause substantial damage. In particular, Cathay Pacific had breached its own retention policies, which, the ICO determined, demonstrated its awareness of the risks that its omissions could cause, and its failure to mitigate those risks.
It is hard to say what fine Cathay Pacific would have suffered under the GDPR, and we await the ICO’s response to EasyJet’s data breach that took place in May 2020.
We are grateful to the following team members for their contributions: MoFo associates Tola Adeseye, Pietro Grassi, Ioanna Lamprinaki, Rayhaan Vankalwala, and Sampaguita Tarrant; and trainee solicitors Stephanie Pong and Dan Alam.