- Key principles
In England and Wales, there is no general duty to report actual or suspected criminal activity to the police or other investigative authorities, such as the Serious Fraud Office (SFO).
In some cases, reporting to certain regulators or the public is necessary to comply with statutes or regulatory obligations, and additional reporting of suspected wrongdoing will be prudent. For instance:
- where a company is required to file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA), due to the likelihood that the information will be shared by the NCA with the SFO and/or the Financial Conduct Authority (FCA);
- where a company knows or has reasonable cause to suspect that a person has committed a sanctions related offence or is a person subject to a sanctions related asset freeze, and must notify that knowledge or suspicion to the Office of Financial Sanctions (OFSI);
- for listed companies, where the investigated activity would, if made public, be likely to have a significant effect on share price and requires disclosure to the public; and
- for regulated firms and individuals obliged to be open and cooperative with the FCA and the Prudential Regulation Authority (PRA), where the investigated activity is information of which these regulators would reasonably expect notice.
Even in circumstances where an entity is under no obligation to report suspected wrongdoing, it may be sensible to make an early, voluntary self-report to law enforcement authorities. Often, these authorities are likely to discover the activity in any event through other means, such as a whistle-blower or cooperation with an overseas regulator. Finally (but not least of all), full cooperation with authorities will maximise the reporting entity’s prospects of avoiding criminal conviction (via a Deferred Prosecution Agreement (DPA)) and reducing any fine. As Sir Brian Leveson noted when approving the Rolls-Royce DPA, discussed further below, “keeping quiet” about past misconduct “carries with it cataclysmic risks.”
If a company wishes to put itself in a good position to obtain a DPA, any self-report to the SFO ought to be made at an early stage - “within a reasonable time of the offending coming to light” - and certainly once initial concerns of wrongdoing have been confirmed to be “real and substantive”. Recently, Joint Head of Fraud Hannah van Dadelszen has emphasised the need for “genuine cooperation” from companies when self-reporting. Timely disclosure will weigh heavily in the SFO’s and Court’s assessment of genuine cooperation. Standard Bank, the first company to enter a DPA, was praised by Leveson LJ for its speed in self-reporting within days of becoming aware of the facts (and before any internal investigation was conducted).
- Recent developments
- On 06 August 2019, the SFO published the Corporate Cooperation Guidance for companies considering whether to self-report fraud or wrongdoing and to cooperate with the SFO subsequently. In its Guidance, the SFO asks companies to go “above and beyond what the law requires” in order to be deemed “co-operative” - a designation that then entitles a company to (potentially) avoid prosecution or be offered the chance to enter DPA negotiations. While the Guidance provides welcome detail as to the SFO’s expectations for a company to be deemed co-operative, in a list of “good practices” it remains difficult for companies to determine whether the (potential) benefits of cooperating with the SFO outweigh the burdens. Those burdens are not simply the expectations listed in the Guidance, which will be costly and resource-intensive. There are additional implications of waiving privilege and producing evidence to the SFO, as that evidence may in future be used against individuals and against the company itself in parallel proceedings – whether these take the form of civil claims, employment suits or shareholder actions. . For a more detailed analysis on the Guidance, please see our article here.
- Lisa Osofsky (Director, SFO) spoke at the Cambridge Symposium on Economic Crime in September 2019 and discussed how the private sector can cooperate in preventing crime. She said that the law should give the private sector a “good, strong nudge”, and that “one of the laudable goals of our criminal justice system is to create proper incentives, to help give private entities sound commercial reasons to act with integrity, and to create consequences for criminal behaviour”. This, she said, is why:
- there is an adequate procedures defence in the Bribery Act;
- the Ministry of Justice promulgated the Six Principles of a sound compliance programme; and
- codes that govern prosecutors’ decisions to bring charges instruct the SFO to take into account the existence of effective compliance programmes and self-reporting.
She said that the law was designed to incentivise the private sector to be willing to report crime and to cooperate when the SFO investigates and prosecutes suspects of crime.
- In March 2019, a Committee of the House of Lords published a report reviewing the Bribery Act 2010 and provided a review of the DPA regime.
- The Committee found that DPAs have proved to be an effective way in which to handle corporate bribery, incentivising self-reporting. It was not persuaded that a greater discount is needed than the 50% allowed in some DPAs so far in order to encourage self-reporting. However, the Committee expressed its view that if self-reporting is to be encouraged, “a distinction should be drawn between the discount granted to a company which has self-reported and one which has not”.
- The Committee also emphasised that a DPA with a company is not and should not be a substitute for the prosecution of any individuals who are implicated in bribery and other corrupt conduct. In his evidence, Sir Brian Leveson, who has overseen the hearings of all DPAs approved to date, told the Committee that he could not “contemplate agreeing a DPA if the people who were responsible for the corrupt payments or other criminality remained in the company”. The report concludes that the cooperation expected of a company entering a DPA “must include provision of all available evidence which might implicate any individuals, however senior, who are suspected of being involved in the bribery being considered”.
- The report also proposes an amendment to the statutory regime for DPAs, abolishing the “rigid” requirement to hold one hearing in private and then a short time later to hold a further hearing in public, both effectively deciding whether the DPA is in the interests of justice and that its terms are fair, reasonable and proportionate. Sir Brian Leveson said in his evidence that more flexibility is required and that “there is no reason why one judgment is not sufficient”. This may lead to a change in the court process for DPAs.
For more on the report, please read our article here.
- Practical tips in an investigation
- Deciding if and when to self-report is a key decision and should be kept under review. Reporting obligations differ as between regulatory authorities and jurisdictions. If a parallel reporting obligation exists (or subsequently arises), there may be no possibility of postponing voluntary disclosure, because the notified authority will cooperate and share information with other interested authorities (in the UK and overseas).
- The timing of a self-report is key. If a company chooses to engage with authorities, delay may threaten cooperation credit and risk whistleblowers or other interested parties being "first in the door".
- Self-reporting is only the first step for a company that wants to cooperate with authorities. The SFO, for instance, will prefer to take control of any investigation - thereby preserving the “crime scene” - but it will also expect the company to identify witnesses, make them available for interview, disclose first accounts of interviews and enable access to documents. Nor is court approval of a DPA the finish line: the DPAs entered into by Standard Bank, XYZ and Rolls Royce all require the ongoing cooperation of each company to pursue individuals implicated in the wrongdoing.
- International perspective
- For cross-border investigations, companies must consider whether to disclose potential wrongdoing to authorities in all relevant jurisdictions, and not simply to the authority judged to have the most pressing regulatory interest. Overseas authorities will apply different approaches to self-reporting, cooperation and the conduct of any internal investigations. However, the SFO has commented that “although law enforcement agencies do not approach compliance programmes in exactly the same way, there will be similarities in what we are looking for”.
- It is important, in particular, to understand the alternatives to prosecution across jurisdictions (see, for instance, the introduction of the DPA in France, followed by the first Court approval of a DPA between the PNF and HSBC Private Bank Switzerland on 14 November 2017). Seeking local legal advice in advance of disclosure in all relevant jurisdictions is advised.
- Additional materials
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.