- Key principles
In England and Wales, there is no general duty to report actual or suspected criminal activity to the police or other investigative authorities, such as the Serious Fraud Office (SFO).
In some cases, reporting to certain regulators or the public is necessary to comply with statutes or regulatory obligations, and additional reporting of suspected wrongdoing will be prudent. For instance:
- where a company is required to file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA), due to the likelihood that the information will be shared by the NCA with the SFO and/or Financial Conduct Authority (FCA)
- where a company knows or has reasonable cause to suspect that a person has committed a sanctions related offence or is a person subject to a sanctions related asset freeze, and must notify that knowledge or suspicion to the Office of Financial Sanctions (OFSI)
- for listed companies, where the investigated activity would, if made public, be likely to have a significant effect on share price and requires disclosure to the public, and
- for regulated firms and individuals obliged to be open and cooperative with the FCA and Prudential Regulation Authority (PRA), where the investigated activity is information of which these regulators would reasonably expect notice.)
Even in circumstances where an entity is under no obligation to report suspected wrongdoing, it may be sensible to make an early, voluntary self-report to law enforcement authorities. Often, these authorities are likely to discover the activity in any event through other means, such as a whistle-blower or cooperation with an overseas regulator. Finally (but not least of all), full cooperation with authorities will maximise the reporting entity’s prospects of avoiding criminal conviction (via a Deferred Prosecution Agreement (DPA)) and reducing any fine. As Sir Brian Leveson noted when approving the Rolls-Royce DPA, discussed further below, “keeping quiet” about past misconduct “carries with it cataclysmic risks.”
If a company wishes to put itself in a good position to obtain a DPA, any self-report to the SFO ought to be made at an early stage - “‘within a reasonable time of the offending coming to light” - and certainly once initial concerns of wrongdoing have been confirmed to be “real and substantive”. Recently, Joint Head of Fraud Hannah van Dadelszen has emphasised the need for “genuine cooperation” from companies when self-reporting. Timely disclosure will weigh heavily in the SFO’s and Court’s assessment of genuine cooperation. Standard Bank, the first company to enter a DPA, was praised by Leveson LJ for its speed in self-reporting within days of becoming aware of the facts (and before any internal investigation was conducted).
- Recent developments
- Lisa Osofsky (Director, SFO) spoke to the Trace European Forum in November 2018 and gave a view of her envisioned policy direction under her term as Director of the SFO. She said that:
- The SFO would only offer DPAs to companies that “cooperate” (for example, by providing new information). She emphasised that the SFO wanted to hear “something that we don’t know”;
- The SFO is considering whether to provide companies with guidance on what cooperation means in the context of the SFO’s assessment for a DPA;
- She would like to work closely with international counterparts of the SFO on investigations; and
- It is important for SFO prosecutors to understand compliance to assess whether companies have adequate procedures and whether they have done enough to remediate. She said that “I am going to be a more effective prosecutor and I am going to be very comfortable listening if a company comes forward and has evidence that they have done an awful lot to reform”.
- As the recent case of R v Skansen Interiors Limited highlighted, self-reporting bribery to the SFO is not sufficient in itself to attract a DPA. Despite its self-report, Skansen was not offered a DPA by the SFO, and chose to test the “adequate procedures” defence at jury trial. Section 7(2) of the Bribery Act 2010 provides a defence to bribery where an organisation can show that it had in place “adequate procedures” to avoid bribery taking place. Skansen sought to demonstrate that the company’s size and localised business meant that it did not require particularly sophisticated procedures. Further, Skansen made the point that it did not need a detailed policy against bribery and corruption because it was common sense. Both arguments failed with the jury, which convicted Skansen. The SFO’s Joint Head of Bribery and Corruption, Camilla de Silva, subsequently commented that the case is a “salient reminder to corporates to ensure their compliance procedures are sufficiently robust and [of] the high bar that will need to be reached for a section 7 defence to succeed”. Further analysis of this conviction is available here: First contested UK prosecution for failing to prevent bribery leads to conviction.
- In the recent case of Lonsdale v National Westminster Bank plc  EWHC 1843 (QB), it was held that that SARs may be disclosable to the entity to which it was subject. Lonsdale applied to inspect SARs made by National Westminster Bank against Lonsdale in his proceedings against National Westminster Bank for breach of contract, defamation and breach of the Data Protection Act 1998. The court held that inspection of the SARs by Lonsdale was necessary for the fair disposal of the claim. This case is a reminder that SARs may be disclosable and careful consideration should be given to the need for reporting, and the content and tone of any report.
- Practical tips in an investigation
- Deciding if and when to self-report is a key decision and should be kept under review. Reporting obligations differ as between regulatory authorities and jurisdictions. If a parallel reporting obligation exists (or subsequently arises), there may be no possibility of postponing voluntary disclosure, because the notified authority will cooperate and share information with other interested authorities (in the UK and overseas).
- The timing of a self-report is key. If a company chooses to engage with authorities, delay may threaten cooperation credit and risk whistleblowers or other interested parties being "first in the door".
- Self-reporting is only the first step for a company that wants to cooperate with authorities. The SFO, for instance, will prefer to take control of any investigation - thereby preserving the “crime scene” - but it will also expect the company to identify witnesses, make them available for interview, disclose first accounts of interviews and enable access to documents. Nor is court approval of a DPA the finish line: the DPAs entered into by Standard Bank, XYZ and Rolls Royce all require the ongoing cooperation of each company to pursue individuals implicated in the wrongdoing.
- International perspective
- For cross-border investigations, companies must consider whether to disclose potential wrongdoing to authorities in all relevant jurisdictions, and not simply to the authority judged to have the most pressing regulatory interest. Overseas authorities will apply different approaches to self-reporting, cooperation and the conduct of any internal investigations. However, the SFO has commented that “although law enforcement agencies do not approach compliance programmes in exactly the same way, there will be similarities in what we are looking for”.
- It is important, in particular, to understand the alternatives to prosecution across jurisdictions (see, for instance, the introduction of the DPA in France, followed by the first Court approval of a DPA between the PNF and HSBC Private Bank Switzerland on 14 November 2017). Seeking local legal advice in advance of disclosure in all relevant jurisdictions is advised.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.