In this article we look at two key reforms to the law of corporate criminal liability introduced by the Act.

1. The Act has created a new offence of "failure to prevent" fraud, which is expected to come into force by the end of the first quarter 2024. This new offence is part of a wider reform of corporate criminal liability, but applies only to large organisations and their subsidiaries. 
2. The Act also expands the reach of the identification doctrine, which is the process by which the acts of individuals are attributed to a company, for the purpose of attributing criminal liability to the company for a broad range of economic offences. 

The changes are made in the context of an increased focus on fraud among regulators and prosecutors, particularly since Government statistics released in 2022 indicated that fraud accounted for 41% of all crime against individuals in England and Wales. The failure to prevent fraud offence is one tool being introduced to seek to address this rise in fraud and it will mark a sea change in the way large companies are expected to structure their compliance procedures with respect to fraud. At present, the vast majority of companies' fraud policies focus on the risk of a company losing money to fraud.

Companies should now start to review their compliance programmes in order to determine if they will need to be updated to ensure they cover the risk of the company and its associated parties defrauding others.

Set out below is:

1. an overview of the key elements of the new failure to prevent fraud offence and some practical examples of how this offence may apply to large companies in different circumstances, such as when making statements about the company's performance and/or green credentials and sales practices;
2. an overview of the changes to the test for corporate criminal liability and its likely impact on companies of all sizes; and
3. practical steps companies can take now to prepare for the coming changes. 

1. The failure to prevent fraud offence

The offence's mechanics

The failure to prevent fraud offence is set out in section 199 of the Act. Under the new offence, a large organisation (and its subsidiaries) will be liable if it fails to prevent an associated person committing a specified fraud offence where that fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.

Significantly, there is a total defence to the failure to prevent fraud offence where an organisation can demonstrate it had in place reasonable procedures at the time of the offending. 

It should also be noted that an organisation will not be liable for the offence in certain circumstances where it can show it was the intended victim of the underlying fraud. 

Which fraud offences are in scope?

The fraud offences covered by the offence are set out in schedule 13 of the Act. They are wide ranging and include (as well as aiding, abetting, or procuring the commission of such offences) the following offences (along with further offences under Scottish and Northern Irish criminal law):

• Fraud by false representation (section 2, Fraud Act 2006);
• Fraud by failing to disclose information (section 3, Fraud Act 2006);
• Fraud by abuse of position (section 4, Fraud Act 2006);
• Participation in a fraudulent business (section 9, Fraud Act 2006);
• Obtaining services dishonestly (section 11, Fraud Act 2006);
• False accounting (section 17, Theft Act 1968);
• False statements by company directors (Section 19, Theft Act 1968);
• Fraudulent trading (section 993, Companies Act 2006); and
• Cheating the public revenue (common law).

In practice, this list of offences will capture a broad range of conduct. This will likely include statements made by companies in their financial documents and accounts, regulatory filings, sales materials, insurance claims and prospectuses. In all cases though, the underlying fraud offence must be made out, so a prosecutor would always need to establish dishonesty on the part of the perpetrator as a first step. Also, while the failure to prevent offence itself does not impose any jurisdictional limits on how closely connected to the UK the conduct must be, the jurisdictional limits of the underlying fraud offence must be met in any prosecution.

Which organisations are in scope?

As a starting point, the failure to prevent offence applies to companies and partnerships, wherever in the world they are incorporated or formed. However, there is an important limitation based on an organisation's size.

Prior to the Act receiving royal assent, a final area of debate between the Houses of Commons and Lords revolved around whether all companies and partnerships, regardless of size, should be in scope for the new offence. Ultimately, it was determined that the principal failure to prevent fraud offence only applies to "large organisations".

Large organisations are defined as organisations which in the financial year prior to the year of the offence, satisfy two or more of the following:

• Turnover of more than £36 million;
• Balance sheet total of more than £18 million; or
• More than 250 employees.

This does not, however, mean that companies that do not meet those thresholds are completely outside the scope of the new offence. Subsidiaries of large organisations, regardless of their size, will be liable for fraud offences committed by their employees (but not a wider group of associated persons) where the intention of the conduct was to benefit the subsidiary. This could mean that small, UK based subsidiaries of larger overseas companies may fall within the scope of the offence. 

Who is an associated person?

The definition of an associated person is similar to that under the Bribery Act 2010 but with some important distinctions. Like with the Bribery Act, a person who performs services for or on behalf of a company will be an associated person under the new offence. However, unlike under the Bribery Act, under the new offence, employees, agents and subsidiaries will automatically be associated persons of a company. This marks a change from the Bribery Act, particularly in the case of subsidiaries, where there is often real analysis to be performed as to whether they are in fact performing services on behalf of their parent company.

Who might be an associated person?

• Employees
• Agents
• Subsidiaries
• Advertisers hired by a company
• Brokers and sales agents acting for a company
• Professional advisers 

Hypothetical examples of the failure to prevent fraud offence

Let's consider three hypothetical scenarios alongside this new failure to prevent fraud offence.

Scenario 1 – Greenwashing in an annual report: A FTSE 250 UK consumer goods business claims in its annual report that the creation of its products is net-zero with respect to CO2 emissions. This statement was inserted by a team of analysts who knew it was not likely to be true when tested but wanted to satisfy shareholder demands around sustainability and the good press that would flow from making this statement. It is subsequently determined that this environmental claim is misleading. 

In this scenario, it would appear likely that the employees who made the statement were associated persons of the company and, subject to establishing dishonesty on their part, committed an underlying fraud offence. 

This is, therefore, likely to mean that the corporate (assuming it is sufficiently large and does not have in place reasonable prevention procedures) will have committed the offence of failing to prevent this fraud from taking place, even if no senior individuals in the company knew about it.

Scenario 2 – Misleading telesales scripts: A junior employee in the telesales team at a company selling boilers drafts a script that contains deliberately misleading statements about the safety record of one of the boilers he is trying to sell with the intention of increasing sales of the boiler. He uses that script when speaking to potential customers.

Even though the employee here is junior within the company, it is likely the boiler company (assuming it is sufficiently large and does not have in place reasonable prevention procedures) will be liable for the failure to prevent fraud offence on the basis of his conduct. 

Scenario 3 – Misleading search engine adverts: A search engine runs an advertisement for a carbon credit trading scheme that is identified as a sham.  

It is unlikely that the fraudster setting up the carbon credit trading scheme would be an associated person of the search engine company and would not be acting for the benefit of the search engine in creating this fraudulent scheme. Therefore, it is unlikely this would lead to a prosecution of the company that runs the search engine for failing to prevent this fraud.

2. Revision of the identification doctrine for economic crime offences

The failure to prevent fraud offence is just one way the Act seeks to reform the law around corporate criminal liability. Additional changes are also made under the Act to extend the scope of corporate criminal liability for all companies in relation to a range of wider economic offences.  These wider changes to the law of corporate criminal liability are explored below and will take effect sooner than the failure to prevent offence; from late December 2023. 

Currently, corporate criminal liability is generally established under English law by using the "identification doctrine". This is a legal test for determining whether the actions of a natural person can be attributed to a corporate to create criminal liability for the corporate. Under current law, the natural person in question must be the "directing mind and will" of the company for its actions to be attributed to the company.

The identification doctrine has been criticised for causing difficulty when prosecuting corporates as it has been very narrowly interpreted by the Courts. This has created significant challenges for prosecutors when pursuing large organisations in particular as they generally have multiple layers of management, so it is difficult to identify the directing mind and will. By way of example, the Serious Fraud Office's (SFO) prosecution of the Chief Executive Officer and Chief Financial Officer of Barclays Bank Plc, amongst other senior leaders, failed in 2020 as the Court found these individuals did not represent the directing mind and will of the bank. 

Section 196 of the Act is set to change this test for a wide range of economic crime offences to better reflect modern, complex corporate structures. The identification doctrine will remain as the test for attributing the action of an individual to a company, but the directing mind and will test will be replaced by a new test based on whether or not the individuals involved are considered to be "senior managers" of the company. A senior manager is defined as an individual who plays a significant role in the decision making, management or organisation of the whole or substantial part of the activities of a body corporate or partnership. This is likely to include a much broader range of individuals than those that make up the directing mind and will of the company.

The updated identification doctrine applies a list of offences set out in Schedule 12 of the Act which include theft, various fraud and tax offences, bribery offences under the Bribery Act, money laundering offences under the Proceeds of Crime Act 2002 and terrorist financing offences under the Terrorism Act 2000.

Unlike the failure to prevent fraud offence, this change will apply to all companies, with no limitations based on size. There will also be no defence based on preventative procedures. 

3. How organisations can start to prepare

Preparing for the failure to prevent fraud offence

The failure to prevent fraud offence will not take effect until statutory guidance is published on what can be expected of a company in implementing the reasonable prevention procedures required to establish a defence under the Act. That guidance is expected to be finalised before the end of the first quarter 2024, after which, companies may have only limited time to respond and prepare. 

What will the statutory guidance say?

The starting point for the statutory guidance is likely to be the guidance issued to support the Bribery Act in 2011 and the failure to prevent tax evasion offence in 2017. However, there are expectations that it will be updated and enhanced to reflect developments in corporate practice over the last decade, in particular the use of technology in compliance programmes. For example, we anticipate there could be direction on subjects that are absent from the Bribery Act guidance, such as how a company uses data analytics and management information to manage fraud risk and around how companies might investigate fraud issues internally.  

Updating the guidance in this way will be important. The more detailed and current the guidance, the more effective it is likely to be in assisting companies in combatting fraud. In recent years, agencies in other jurisdictions (particularly the US and France) have continued to provide increasingly up-to-date guidance on their expectations of companies' compliance frameworks. To provide guidance mirroring the guidance of the Bribery Act would risk perpetuating an outdated model and make the UK somewhat of an outlier in that respect. 

Even in advance of the guidance being published, organisations can take steps to prepare for the new compliance standards that will likely be created as a result of this new failure to prevent fraud offence. Steps that large organisations should consider taking include:

• Reviewing and assessing policies and procedures to determine whether there are pre-existing provisions relating to the prevention of fraud by employees, subsidiaries and agents against third parties. If there are not, organisations should decide how they wish to implement such policies and procedures through their existing compliance framework (e.g., updating an existing fraud policy).
• Giving consideration to where relevant risks and responsibilities for managing such risks sits within the organisation, given the wide range of conduct potentially caught by the new offence – from management of third parties, to tax matters, to preparing and filing accounts.
• Starting to map out communications and training plans to ensure companies are in a position to identify these new risks created by their associated persons, although the content may be further refined when the statutory guidance is published. 

Preparing for the changes to the identification doctrine

Companies should also take steps to prepare for the changes to the law around the attribution of corporate criminal liability. These changes will come into force sooner than the failure to prevent fraud offence, in late December 2023, and no guidance is expected prior to them taking effect.

The aim of the legislative change is to broaden the group of employees deemed senior enough to have their acts attributed to the company. Companies may begin preparations on that basis. 

Companies may wish to consider the following actions to address this expansion of the identification principle:

• Identify which employees are exercising management responsibilities and are therefore sufficiently senior to have their actions attributed to the company.
• Review existing records to determine whether that group has been fully trained in relation to the wide range of financial crime offences in the scope of this new law and whether any historical issues have arisen relating to the conduct of the employees at that level.
• Ensure that group of managers are properly trained in relation to a wide range of financial crimes and associated risks, including how the company communicates with that group around training.
• Review recruitment processes for the hiring of individuals into management roles to address the risks a particular individual may present in terms of compliance with criminal law.

4. Further steps in the Act to combat economic crime and enhance transparency 

The Act is a large, wide ranging piece of legislation and the corporate criminal liability reforms discussed in this article are only a small set of the changes being introduced.

One additional area of change that may have an impact on companies in the area of economic crime relates to an expansion of the SFO's pre-investigation powers of compulsion of evidence under the Criminal Justice Act 1987. 

Previously, the SFO was only able to use its powers of compulsion before opening a formal investigation, to assist in its determination of whether to commence such an investigation, in cases of potential bribery and corruption. The Act removes that limitation, allowing the SFO to use those powers of compulsion in respect of a wider range of economic crimes, including fraud.

These additional powers will be a useful tool for the SFO as it begins to look at potential cases using the new failure to prevent fraud offence and it may result in more section 2 Criminal Justice Act notices, more dawn raids, and ultimately more formal SFO fraud investigations now that a significant initial obstacle to getting them off the ground has been removed. 

Additionally, the Act introduces numerous changes relating to enhancing corporate transparency. Our colleagues in our Corporate team have considered some of those developments here.

The bribery and corruption chapter in the compliance handbook provides guidance to regulated firms on how they can ensure that they have adequate systems and controls in place to respond to the particular issues posed by the legislation.

It should also be noted that, while English anti-bribery law (in particular, the Act) has broad criminal application, there are also further specific obligations and expectations on regulated entities. This chapter not only examines the ways in which the Act operates and the associated best practices, but also considers specific regulatory obligations.

Recent Financial Conduct Authority (FCA) enforcement cases against regulated firms for bribery and corruption control failings illustrate the regulator's enforcement work and how important it is for regulated firms to ensure they have implemented suitable controls. The FCA's recent focus on these issues was demonstrated by the combined penalties of £143 million across seven bribery and corruption-related enforcement actions in 2022.

While the FCA will not itself prosecute breaches of the Act, it will take a keen interest in the anti-corruption systems and controls of the firms it supervises. It may take regulatory enforcement action against firms who do not comply with their responsibilities.

New content

The chapter has been updated to provide more detail on recent corporate prosecutions; for example, SFO v Glencore Energy UK Ltd. Glencore was ordered to pay £280,965,092.95 (over $400 million) after a Serious Fraud Office (SFO) investigation revealed it had paid $29 million in bribes to maximise its oil trading profits in five African countries. The SFO estimated Glencore’s bribery to have created a financial benefit of approximately £93.5 million for the company.

The Glencore case was the first example of a company being convicted under Section 1 of the Act, meaning that the SFO was able to meet the threshold for establishing corporate criminal liability through the involvement of senior individuals at the company.

The chapter is written and maintained for Regulatory Intelligence by Sam Tate, Kate Langley, and Alexandra Prato of RPC.

Handbooks on Regulatory Intelligence

The UK compliance handbook is a guide to certain key aspects of the Prudential Regulation Authority (PRA) and FCA rules. The handbook covers a wide range of subjects, from obtaining authorisation from one or both UK regulators, to discussing the requirements of the General Data Protection Regulation (GDPR). Not all subjects are drawn from the PRA or FCA's specific rules, but they are subjects about which compliance practitioners need to be aware.

The handbook emphasises providing compliance practitioners with insight into the practical application of FCA and PRA rules. Each chapter is discussed in the statutory and regulatory context with practical analysis of the subject, together with tips and guidance that firms may find helpful.

The handbook can be used for reference, or as a training aid for those who are new to the compliance industry. (Lindsay Anderson, Regulatory Intelligence)

This article was produced and published on the Thomson Reuters Accelus Regulatory Intelligence.

To access the latest ABC chapter of the Thomson Reuters Compliance Handbook visit http://go-ri.tr.com/kNVDJQ [paywall] or get in touch with the RPC's White Collar Crime & Compliance team to request a copy.

Melanie Musgrave and Leonia Chesterfield take a look at a few key changes to competition law proposed by the Bill.

On 11 April, the highly anticipated failure to prevent fraud offence was introduced in an amendment to the Economic Crime and Corporate Transparency Bill (the Economic Crime Bill or the Bill).  Although there has been much discussion of this potential offence since the start of this year, this amendment is significant as it is the first time that structure and detail of the offence has been formally included in the Bill.  The amendment gives a much clearer indication of how the failure to prevent fraud offence might operate when it comes into force. 

When enacted, this offence promises to become an important tool for UK economic crime prosecutors and is likely to see major changes to the compliance programmes of large companies in the UK and overseas.  

In this article, we will look at how the act is likely to operate, focusing on the developments that will be interesting to monitor as the Bill continues through Parliament along with offering some practical steps companies might take now to be as prepared as possible. 

The Context to the Failure to Prevent Fraud Offence 

Even prior to the amendment's introduction into the Bill, the failure to prevent fraud offence has received a great deal of attention.  Its introduction arises out of the long running consultation and related discussions regarding corporate criminal liability in the UK, in particular calls to reform the identification doctrine, which has presented challenges for prosecutors when pursuing corporates.  

The need to reform the tools to prosecute fraud, in particular, has come under scrutiny.  In its November 2022 report, the parliamentary Fraud Act 2006 and Digital Fraud Committee identified that fraud accounted for 41% of all crime committed against individuals in the UK and called for the introduction of a failure to prevent offence as one aspect of the approach to combat the offending. 

Throughout discussions of the Economic Crime Bill, there appears to have been real cross-party appetite for the introduction of such a "failure to prevent" offence.

How will the new offence operate? 

The amendment provides, for the first time, some relatively clear indications of how the offence will work in practice once it comes into law.

Many of the concepts contained in the failure to prevent fraud offence – such as associated persons, a defence based on preventative procedures and unlimited fines for offenders – are familiar from the failure to prevent offences already on the statute books (namely failure to prevent bribery under s.7 of the Bribery Act 2010 and failure to prevent tax evasion under Part 3 of the Criminal Finances Act 2017).  There are however some key distinctions in how the failure to prevent fraud offence will operate.  Of course, given the relatively early stage of the parliamentary debate over the offence, there is a chance changes may still be made to its structure.

Under the current drafting, a large organisation will be subject to an unlimited fine if:

1. A person who is associated with a relevant body commits a fraud offence with the intention of benefitting their organisation, or an organisation who they provide services to on behalf of the relevant body; and
2. The relevant body did not have in place reasonable fraud prevention procedures.

As currently drafted, the new failure to prevent fraud offence is unlikely to effectively address many of the issues identified by the parliamentary Fraud Act 2006 and Digital Fraud Committee in its November 2022 report.  That report focused on digital fraud schemes, including online scams.  It does not appear, for example, that the failure to prevent fraud offence will be a tool that could be used to prosecute companies operating search engines for putting up misleading adverts.  Rather, the new offence is perhaps best viewed as an attempt to address issues with the English law of corporate criminal liability, by introducing a further corporate offence that prosecutors will be able to pursue without meeting the high threshold of the "directing mind and will" test established by the identification principle.

We will look at how some of the specific aspects of the offence are likely to operate.

Which fraud offences are in scope?

The fraud offences covered by the offence are wide ranging and will include (as well as the aiding, abetting, or procuring the commission of such offences) the following offences:

• Fraud by false representation (section 2, Fraud Act 2006);
• Fraud by failing to disclose information (section 3, Fraud Act 2006);
• Fraud by abuse of position (section 4, Fraud Act 2006);
• Obtaining services dishonestly (section 11, Fraud Act 2006);
• Participation in a fraudulent business (section 9, Fraud Act 2006);
• False statements by company directors (Section 19, Theft Act 1968);
• False accounting (section 17, Theft Act 1968);
• Fraudulent trading (section 993, Companies Act 2006); and
• Cheating the public revenue (common law).

To whom does the new offence apply?

The drafting of the amendment makes it clear that the new offence will only apply to "large organisations".  These are defined as organisations who in the financial year prior to the year of the offence, satisfy two or more of the following:

• Turnover of more than £36 million;
• Balance sheet total of more than £18 million; or
• More than 250 employees.

Prior to the introduction of the amendment, there had been some discussion around whether the new offence would apply in the same way to companies of all sizes.  One perhaps unintended consequence of the failure to prevent offence in the Bribery Act, which does not expressly distinguish between companies of different size and resource, has been the significant attention smaller companies have needed to pay to implementing and managing anti-bribery policies and procedures, often at great expense.  It now seems clear that smaller companies will not be obliged to make equivalent changes for fraud prevention policies.

Scenarios where the new offence may affect the likelihood of a corporate criminal prosecution:

Scenario 1 – Misleading investors in an IPO: During an IPO process, an employee or agent of a company makes a deliberately misleading statement in its offer documents to bidders as to the value of the underlying assets of the company.  Even if senior management of the company did not instruct the employee to make the misleading statement, under the new offence, establishing criminal liability against the company is likely to be easier than under current law.

Scenario 2 – Misleading consumers as to the environmental impact of a product: Sales agents of a company that manufactures cars make deliberately misleading statements to potential customers as to the environmental impact of the cars when in operation.  Even where the manufacturing company did not have knowledge that the sales agents planned to make this statement, a corporate prosecution will be easier under the new offence.

Scenario 3 – Manipulation of interbank rates: An employee of a bank intentionally submits false interest rate figures to manipulate an interbank rate.  The new offence would not require prosecutors to establish knowledge of the scheme by senior management of the bank to establish a criminal prosecution.

Scenario 4 – Insurance mis-selling: A broker, acting on behalf of an insurance company, sells an insurance policy to a consumer, knowing that the policy was not suitable for that customer.  Even where the insurer was not involved in the sale, and there was nothing inherently wrong with the policy that was sold (if sold to the intended customers), prosecutors may be able to prosecute the insurer under the new offence.

A scenario where the new offence is unlikely to affect the likelihood of a corporate prosecution:

Misleading search engine adverts: A search engine runs an advertisement for a carbon credit trading scheme that is identified as a sham.  It is unlikely under the new offence that the fraudster setting up the carbon credit trading scheme would be an associate person of the search engine company, and therefore it is unlikely this would lead to a prosecution of that company under for failure to prevent fraud.

It should also be noted that the offence as currently drafted does not apply to individuals.  There had been some earlier indications in proposed amendments to the Bill that individual liability for failure to prevent economic crime offences might form part of the new package of offences.  It will be interesting to monitor if this prospect is raised again in subsequent discussions in Parliament.

Will the new offence have extra-territorial reach?

The offence will have extra-territorial reach.  Organisations based outside the UK could be prosecuted if an associated person commits the offence under UK law or when targeting those in the UK.

There are some issues surrounding the breadth of the offence's jurisdiction still to be resolved, but the failure to prevent fraud offence seems likely to have a jurisdiction that is as broad, or even broader than the Bribery Act s.7 offence.  Unlike the failure to prevent offence in the Bribery Act, which applies only to companies incorporated in the UK or those that carry on business in the UK, as currently drafted, there are no equivalent limitations to the entities to which the failure to prevent fraud offence will apply.  It will be interesting to see if there is discussion in Parliament about the jurisdictional scope of the offence, in particular, how it applies to companies with no connection to the UK.

Who will be a person who is associated with a relevant body?

The definition is similar to an "associated person" under the Bribery Act.  A person who performs services for or on behalf of a company will be an associated person under the new offence. As with the Bribery Act, employees, agents and subsidiaries are identified as potential associated persons.  However, unlike under the Bribery Act, under the new offence, as currently drafted, employees, agents and subsidiaries will automatically be associated persons of a company.  This would mark a change from the Bribery Act, particularly in the case of subsidiaries, where there is often real analysis to be performed as to whether they are in fact performing services on behalf of their parent company.

Who might be an associated person?

• Employees
• Agents
• Subsidiaries
• Advertisers hired by a company
• Brokers and sales agents acting for a company
• Professional advisers

Like the failure to prevent bribery and tax evasion offences, there will be a complete defence to the failure to prevent fraud offence if a company can show it had reasonable preventive procedures in place.

The amendment requires the Government to produce guidance on how companies will be able to demonstrate reasonable preventative procedures, so more specifics on the steps companies might be required to take will follow.  However, even before that guidance is published, it is possible to make an educated assessment of what will be expected of large companies.

One area we anticipate the guidance will cover will be how large companies use technology and data analytics in their fraud prevention.  While the guidance to the Bribery Act did not specifically refer to this, there are two factors that may now lead to an increased expectation on the use of technology and data as part of a suite of effective preventative measures.  First, more than a decade has passed since the guidance to the Bribery Act was issued.  Compliance-focused technology has improved and become significantly more widely used by companies in that intervening period.  An increased focus on technology and data in the guidance would be consistent with the approach taken in guidance on compliance programmes in other jurisdictions, such as in the 2020 US Department of Justice's guidance to federal prosecutors on evaluating corporate compliance programmes.  Second, the fact that the failure to prevent fraud offence will only apply to large companies might lead to a greater expectation that those companies already employ, or have the financial capability to employ, data analytics as part of their compliance programmes.

Given the similarity of the preventative procedures defence to the defence in s.7 of the Bribery Act, it is likely that guidance issued for that legislation will be helpful in determining what is expected for this new offence.  Companies can reasonably expect that fraud prevention procedures would need to be proportionate and demonstrate top level commitment.  The procedures will need to involve conducting due diligence on third parties and risk assessments.  Companies will need to have clear plans for communicating their procedures to employees and for providing related training.  There will also need to be plans in place for the monitoring and review of the procedures.  Importantly, as was made clear when the failure to prevent tax evasion offence was introduced, it will be important that these procedures are designed by reference to the new offence specifically, and not only as part of a broader overall compliance programme. 

What Actions can Companies take now?

The introduction of the failure to prevent fraud offence is likely to mark one of the most significant changes to economic crime enforcement in the UK since the introduction of the Bribery Act.  The new offence will mark a sea change in the way large companies structure their compliance procedures with respect to fraud.  At present, the vast majority of companies' fraud policies focus on the risk of a company losing money to fraud.  Such programmes will need to be updated to ensure they cover the risks of the company and its third parties defrauding others.  This will extend to all employees and agents, but potentially other third parties like payment processors, accountants and advertisers. 

The offence may come into law as soon as the final quarter of this year.  It will be up to companies to demonstrate they have the appropriate controls in place.  With this in mind, prudent larger companies may take this opportunity to begin to plan for the enactment of the Bill.  That preparation may involve mapping the company's fraud controls already in place, especially as they apply to third parties and third-party risk management.

RPC's White-Collar Crime and Compliance team has prepared a toolkit for companies to use to conduct such a mapping exercise and we would be happy to discuss the issues presented by the new offence and how best to prepare for it. 

• increase the level of oversight of their ARs, including ensuring ARs have adequate systems, controls and resources;
• carry out annual reviews of their ARs and an annual self-assessment of the Principal's own compliance;
• assess and monitor the risk that ARs pose to consumers;
• provide additional information to the FCA on their existing and new ARs;
• notify the FCA of any future appointments at least 30 calendar days prior to its effect; and
• annually provide to the FCA data relating to complaints and revenue.

What actions should you take?

Firms should understand their obligations under the FCA's updated rules and expectations and take the relevant steps to be ready to comply. 

Principals will need to:

• notify the FCA of AR appointments at least 30 calendar days prior to the appointment taking effect;
• collate data on existing ARs as well as any new AR appointments to provide to the FCA – this information includes the primary reason behind the appointment and whether the AR will provide services to retail clients;
• check the accuracy of the details of their ARs on the FCA register;
• provide the FCA with complaints and revenue data on their ARs, up to 60 business days after the principal's accounting reference data; and
• integrate the annual review requirements into existing internal reporting processes

However, the FCA has put in place transitional arrangement to give firms more time to comply with some of the new rules, such as those required to submit information on an on-going basis and to review ARs and self-assess annually.

Is there anything else you should look out for? 

As part of the FCA's enhanced reporting requirements, Principals should expect to receive a Section 165 request for data about their current ARs at some point in December (potentially between 8-10 December). Firms will then have until 28 February 2023 to respond. 

On 23rd May 2022 the Solicitors Regulation Authority (SRA) announced its plans to increase its fining powers from £2,000 to £25,000, along with a strengthening of its punitive powers in other respects. This article will outline these and point out some of the pitfalls ahead. 

Increased fining powers

The SRA said it will increase its fining power twelvefold to a maximum of £25,000. The SRA justified this increase by arguing that cases with fines under £25,000 are relatively straightforward and do not justify the time, cost and stress involved with a hearing before the Solicitors Disciplinary Tribunal (SDT). 

In doing so it has ignored the SDT's recommendation that the SRA's fining powers should be limited to £7,000 for an individual. A similar view on the upper limit was held by the Law Society. The Law Society said, "The independence of the SDT from both the regulator and the profession, its clearly defined processes and transparency means that solicitors generally have more confidence in the SDT’s decision-making processes”, whereas SRA decisions are not publicly scrutinised. 

It is understandable that the SRA's current limit of £2,000 has led to more cases being referred to the SDT and thus caused delays and an increase in costs and impact on those subject to disciplinary proceedings. However, the SRA does not seem to be taking into account the recommendations of the Law Society and the SDT – they are suggesting more moderate increases. The SDT's indicative guidance that fines between £7,500 and 15,000 were more than moderately serious and those over £15,000 were very serious. Whether very serious cases should be decided without independent scrutiny is a concern, although the SRA has addressed this by saying there would be a clear division between SRA investigators and SRA decision-makers and that the independence of decision makers would be safeguarded.
 
Under the new arrangements, solicitors and firms retain the right to appeal adverse decisions to the SDT but respondents to the Consultation question whether this is an adequate safeguard. Many firms and individuals would be quite understandably daunted at the prospect of an appeal and its associated cost. Solicitors facing SRA investigations will be only too aware of the likelihood that they will bear the regulator's costs as well as their own and may recall the 2021 ruling in the case of Liz Ellen, a solicitor who was cleared of misconduct but still had to pay her own defence costs, estimated at £534,000. 

Supporters of an increase in limits will point to the fining powers in relation to Alternative Business Structures which can be fined up to £50m for firms and £50m for individuals. The SRA accepts arguments for greater parity between ABS and traditional firms in this regard. 

Sliding scale of penalties

The SRA will also take into account the turnover of firms and the income of individuals when setting fines, with the intention to introduce more impactful consequences for City firms and lawyers who breach the rules. Fines for firms would be capped at 5% of annual domestic turnover from SRA authorised activities in the last year prior to the misconduct, up from the current 2.5%. For individuals it is proposed that an individual's income related to the tax year prior to the employment in which the misconduct occurred should be used for setting fines. 

The SRA argue that the increased cap would potentially be a more effective deterrent and that a fine at that level would be unlikely to affect the viability of a firm. Firms and individuals would also be able to make representations concerning their ability to pay a fine. However, there are other arguments that profit based/net worth metrics may be more appropriate, as The Law Society highlighted, turnover may not be a reliable indicator of profitability or ready cash. 

The SRA gives the example of different levels of fine issued for the same offence to a low earning junior solicitor compared with a senior equity partner. While this is understandable, there is an issue with disparity of penalty for the same crime. It also glosses over the differences in aggravating and mitigating circumstances in individual cases. 

The SRA counters this by referring to the fining powers of other regulators such as the FCA, arguing that other regulators have shifted their approach to financial penalties as an effective deterrent. 

Fixed penalties for lower-level breaches

The SRA plans to introduce fixed penalties of up to £1,500 for lower-level breaches. The SRA stressed that fixed penalties would not change the bar for its decision to take action, stating "this change will allow us to streamline our approach to misconduct that is currently suitable for a low-level fine…" it also hopes that it can foster "greater transparency around possible disciplinary outcomes for failure to cooperate with [the SRA] as a regulator and more administrative breaches". An example of where they envision this working is a breach such as failure to comply with transparency rules.  The SRA argue that "these kind of matters are capable of objective determination and attracting standardised penalties".   

The SRA proposes to begin with fixed penalties in a small number of defined areas and then take stock of the effectiveness of the scheme before extending it further. Their current suggested fine would be a maximum of £800 for a first breach and £1,500 for subsequent offences. 

While this approach would be welcome, more needs to be understood on what the straightforward administrative breaches are.  The SRA have stated that they will consult this summer on a schedule of fixed penalties and procedural rules to introduce these. They have also said that the opportunity to put matters right would be given before the fine is issued and there would be a right to have the decision reviewed. 

Penalties for misconduct/harassment 

Arguably, one of the most controversial and difficult changes is that SRA guidance will be amended to dictate that cases involving sexual misconduct, discrimination or other forms of harassment will result in a restriction of practice, suspension or strike off rather than a fine, unless there are exceptional circumstances.

Whilst allegations of this kind of misconduct should always be treated seriously, there is a wide spectrum of behaviour encompassed by this sort of misconduct and a complicating factor is the subjective nature of some of the legal elements to these infractions. The SRA’s approach of treating such behaviours automatically at the very serious end, unless exceptional circumstances apply, seems at first glance to be insufficiently nuanced. However, the proposed guidance has not been published at the time of writing. 

Another source of uncertainty is that some of these concepts (especially discrimination and harassment) are not given specific definitions in the SRA’s regulatory arrangements. For example, the SRA Principles refer to the obligation to encourage “equality, diversity and inclusion” (Principle 6), but a rule based on the need ‘to encourage’ is a challenging one to enforce. The SRA Code for Solicitors says at para. 1.1, “You do not unfairly discriminate by allowing your personal views to affect your professional relationships and the way in which you provide your services”, but that does not refer to “harassment”, and it is unclear if the reference to “discriminate” targets the legal concept of discrimination under the Equality Act 2010. 

Whilst the SRA states that their aim in this regard is to ensure their approach aligns with public expectations, we have seen considerable difficulties and controversy in the exercise of that approach in high profile cases.  We appreciate that many of these cases are difficult to quantify financially, and that suspension or strike off may be appropriate in many cases, we suggest that the SRA could address this while maintaining flexibility and discretion to address individual circumstances particularly where there may be significant aggravating or mitigating factors. There is a risk here of virtue signalling, leading to the delivery of unfair outcomes. 

Conclusion

Anna Bradley, SRA Chair, has said, "These changes will mean we can resolve issues more quickly, saving time and cost for everyone and, importantly, reducing the inevitable stress for those in our enforcement processes.” 

These are laudable aims and would certainly be welcome by most solicitors who are at the sharp end of delay during the investigation and enforcement processes. However, the SRA needs to reassure the profession that it has the resources and capability to manage these increased powers and that these will translate into faster timescales.  These reforms may speed things up in straightforward matters. However, the challenge will be the more complex ones. 

There also remains the worry that the SRA has not really addressed concerns about the fairness of it investigating potential breaches and determining the outcome without a sufficient degree of independent scrutiny. While there are problems with the SDT regime, it certainly does involve a greater degree of independence and transparency.

In conclusion, while it is hard to argue against the proposition that a decade-old fining regime needed updating, perhaps more weight should have been given to the concerns outlined by respondents such as the SDT and The Law Society. 

What is operational resilience? Think of it as cartilage.

In their 2018 discussion paper, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) define operational resilience as the ability "to prevent, respond to, recover and learn from operational disruptions". Clear as mud, right? 

Basically, it's a bit like cartilage. In a healthy human body, cartilage acts as a cushion and provides flexible support to joints and bones. Operational resilience works in the same way and essentially gives structure and processes to a business, enabling it to absorb shocks resulting from volatility and disruptions (whether arising from external or internal events or circumstances).  These may include economic shocks, cyber-attacks, or technological failures. Operational resilience seeks to ensure that organisations are prepared, enabling them to adapt and react quickly to either prevent incidents from occurring or at the very least minimising impact / disruption. 

Operational resilience in the limelight: Why does it matter?

The financial services sector is core to modern day society not only in a domestic context, but also globally. With a globally connected world, the increase in cyber-attacks, (unplanned) system outages, increased reliance on digital services and the increasing complexity of systems and their interactions and interfaces, the shift in focus by regulators isn't surprising. 

COVID has been an example of why robust business continuity and operational resilience is necessary as much of the world moved to home working overnight.  It has also resulted in the rapid adoption of technology to enable and sustain new ways and locations of working.  With these changes come solutions/innovations but also challenges, such as potentially increasing security, data and resiliency risks. 

In respect of cloud-based services, the rapid adoption of these by firms (including in response to the pandemic) carries its own unique risks, as an overreliance on a select few providers can exacerbate the scale of any disruption when issues do inevitably occur; as evidenced by Amazon Web Services' (AWS') most recent high-profile outage in December 2021, which affected everything from delivery operations to mobile banking apps.

It is a matter of record that these "concentration risks" are very much of concern to UK regulators.
The BOE and the PRA, and the FCA all launched consultations in 2019. In light of the pandemic and the conclusions drawn following responses (that disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and market integrity), the BOE, PRA and FCA have developed in partnership a set of rules aimed at increasing the overall operational resilience of UK businesses. 

Who do these new rules apply to?

The rules apply to the usual subjects (e.g., banks, investment firms, building societies and insurers), but interestingly, also impact the relatively new kids on the block - payment and electronic money institutions. 

Certain rules will become effective from 31 March 2022, so with less than a month to go, let's remind ourselves as to what is expected come 31 March.

What is the expectation come 31 March 2022?

The expectation come 31 March (or shortly thereafter should the FCA come knocking at your door) is that impacted organisations will have (and have an audit trail demonstrating):

1. Identified their important busines services. These are services, which could, if disrupted, likely cause intolerable harm to their customers/the financial markets within which they operate.
2. Set impact tolerances to effectively measure/gauge the extent to which said services are able to withstand certain levels of disruption.
3. Mapped the resources necessary to deliver the important business services and tested their ability to remain within any tolerance levels set against a range of adverse scenarios.
4. Developed their internal and external communications strategies.
5. Prepared a self-assessment document showing how they will meet their operational resilience requirements.

So what's next? 

It's important to remember that this is just the first step in building an "operational resilience framework". In-scope firms are encouraged to ensure that sufficient mapping and testing activities have been undertaken to ensure that firms remain in their impact tolerances in respect of each impacted business service as soon as possible but no later than 31 March 2025. 

It is crucial therefore, that firms stay ahead of the curve and are proactive in aligning their business functions with these incoming regulations.  Certainly, for most, growing that cartilage has and will continue to take some considerable time and effort going forward!

The newly revived Bill was introduced to Parliament on 1 March 2022 and has three core components:

1. Create an overseas entities register 

This register will be overseen by Companies House and will require all overseas entities that own UK property to provide certain information, including the identity of the ultimate beneficial owner of the property. This will be of crucial assistance to the UK Government in enforcing sanctions against individuals holding UK property behind webs of offshore companies. The time limit for providing the ownership information is likely to shorten to 6 months from the original proposal of 18 months after the Act comes into force, increasing the pressure for transparency. However, there remains a question of who at Companies House will be reviewing this information and what action they will be able to take with the limited resources available.

2. Expand the Unexplained Wealth Order (UWO) regime

The Bill will give relevant authorities new grounds for seeking both UWOs and related interim freezing injunctions, which will help to avoid the targets of UWOs selling assets before the UWO bites. Authorities' liability for costs in seeking UWOs will also be limited going forwards. Only a handful of UWOs have been granted in the UK to date, but we expect this combination of new measures to increase the number of UWOs sought in the UK, with a focus on Russian oligarchs in the current climate.

3. Expand the UK sanctions regime

The bill looks to introduce significant changes to the sanctions regime to make it easier for the government to impose sanctions on companies and individuals, especially those already sanctioned by the EU or US. It also creates a civil "strict liability" offence for those found to be acting in breach of sanctions by removing the need for a party to have known or had reasonable grounds to suspect they were acting in breach. This is a significant departure that creates an offence akin to the "failure to prevent" offences under the Bribery Act 2010 for failing to prevent bribery and the Criminal Finances Act 2017 for failing to prevent the facilitation of tax evasion.

There is broad cross-party approval of the Bill, albeit there is also pressure from some quarters for the measures to go even further (such as a shorter period of 28 days for registering overseas entities with Companies House). 

Overall, we expect a key focus of discussions to be resourcing for authorities to enforce the Bill's new measures. There is a concern that the Bill's bark will be worse than its bite if authorities such as Companies House, the NCA and OFSI do not have the financing and resources to enforce these new powers. The Treasury Committee addressed the likely need for further resourcing for entities such as the NCA, which is said to have had "real term" cuts over the past 5 years, despite requesting an increased budget. It remains to be seen whether this support will be provided. 

For more information, or to discuss any of these takeaways further, please do not hesitate to contact us or visit our corporate crime page to find out how the team can help.

The applicant is the owner of a flat in a residential building in Hong Kong.  He became dissatisfied with renovation works that had taken place at the building in 2012-13. The applicant set out his concerns in a letter, dated 30 June 2015, to the certified public accountant who had been engaged by the building's incorporated owners to audit its accounts for the years during which the renovation works had been carried out. Dissatisfied with the accountant's reply and follow-up action, the applicant made a formal complaint to the Hong Kong Institute of Certified Public Accountants (the respondent) on 10 August 2015. Further correspondence followed between the applicant and the staff of the respondent's compliance department which had also sought representations from the accountant.  

The compliance department submitted a report to the respondent's professional conduct committee (the committee) which concluded that the applicant had not provided sufficient evidence to establish a prima facie case of professional misconduct on the part of the accountant. The respondent had delegated to the committee the task of considering reports from the compliance department with respect to complaints of professional misconduct. It is worth noting that the committee was made up of independent certified public accountants.  The committee agreed with the compliance department's finding and resolved to take no further action.  

The compliance department notified the applicant of the committee's decision by letter on 3 February 2016, explaining that the committee had reviewed the complaint and "Based on the information before it, the Committee considers that no prima facie case was shown". Pursuant to the applicant's request by subsequent emails, the respondent further explained in writing the essential reasons for the committee's decision – in short, confirming that the respondent was satisfied that the information and documents provided by the applicant had not been sufficient to establish the applicant's allegations.  
 
Dissatisfied with the respondent's decision, the applicant applied for judicial review.  In essence, the applicant claimed that the respondent had failed to provide sufficient reasons regarding the committee's decision.  A judge dismissed the application in a fully reasoned decision, dated 11 January 2021.³ The judge found that the reasons given by the respondent for dismissing the applicant's complaint were sufficient to enable him to understand why the committee had come to its decision and what conclusions had been reached on the principal issues that arose.  In the course of arriving at his decision, the judge had regard to several other considerations – including (among others) the impact on the applicant's rights, any alleged prejudice suffered by the applicant and the nature of the committee's role.  

The applicant appealed to the Court of Appeal.  The applicant raised several grounds of appeal.  The main issue for consideration by the Court of Appeal was whether the respondent had given sufficient reasons for the committee's decision. 

Appeal

Adequacy of Reasons

In considering the adequacy of the reasons given for the committee's decision, the Court of Appeal made a number of observations.  These included:

• where a decision-maker gives reasons as part of a regulatory investigation, the reasons may be brief and succinct.⁴
• it is not necessary for a decision-maker to consider and deal with every single issue raised by a complainant.  The decision-maker need only deal with the relevant and substantial issues and explain why they have come to their decision. ⁵
• applying settled case law, whether the reasons given by a decision-maker in a regulatory context are sufficient depends on the legal framework within which the regulator takes a decision and upon the facts of the case – context and common sense should guide the court's approach.⁶
• there is no rule that all of a decision-maker's reasons must be set out in one document or decision letter. The Court of Appeal observed that:

"The reasons for a decision may be gleaned from more than one document in a chain of communications between the decision-maker and the applicant."⁷

Applying these principles, the Court of Appeal noted that the main issue before the judge had been whether the committee's decision and the chain of emails passing between the applicant and the respondent had: (i) sufficiently addressed the substantial issues relevant to whether there was a prima facie case of professional misconduct based on the materials available and (ii) adequately explained to the applicant why the respondent considered that there was no prima facie case.⁸  

In conclusion, as regards the adequacy of reasons, the Court of Appeal stated:

"In considering whether the reasons given by the Institute for the Decision are adequate or sufficient, it is important to bear in mind that the issue is not whether the Decision is reasonable or correct. The present judicial review is not about the rationality, still less the correctness, of the Decision. It is only concerned with the adequacy or sufficiency of the reasons given by Institute. We consider that the Institute has given sufficient reasons for the Decision in the context of the present case."⁹ 

Overall Assessment

As regards the applicant's specific grounds of appeal, the Court of Appeal rejected all of them.

Interestingly, the Court of Appeal specifically addressed the applicant's argument that the judge (at first instance) had taken into account several other considerations in order to, in effect, relieve the respondent of a duty to give sufficient reasons.  The Court of Appeal explained that this was a misreading of the judgment – what the judge had done was to explain why, having regard to these other considerations, the respondent was not under any duty to provide "more detailed reasons".¹⁰   Without deciding the point, the Court of Appeal considered that a preferable approach would have been to take these other considerations into account in an overall assessment of the adequacy of the reasons given.¹¹ 

The Court of Appeal dismissed the applicant's appeal.  

Comment

Both the Court of Appeal's and the lower court's judgments are interesting and useful summaries regarding the adequacy of a regulator's reasons not to proceed with a complaint of professional misconduct – in particular, in the context of a decision made by a professional body that, after an initial investigation, there is no prima facie case to proceed.  

While there is (as yet) in Hong Kong no common law general duty on the part of administrative body to give reasons for their decisions, this is a developing area of the law to which legal practitioners and regulators (and those they regulate) should pay attention.  It is an area that is probably ripe for further appellate court clarification as the demands on regulators and those they regulate increase.  However, the reference in the Court of Appeal's judgment to case law that emphasises the importance of "context" and "common sense" is a good guiding principle.

It is worth emphasising that, in judicial review challenges such as this one, the issue for determination by the courts does not concern whether the regulator's decision is correct – rather, the focus is on the adequacy of the reasons given for the decision.   

Finally, there is an interesting passage in the Court of Appeal's judgment regarding the relevance of any alleged prejudice to the applicant arising from either a failure to give adequate reasons or the decision itself and the distinction between the two.  In addition to showing that a decision-maker has failed to give sufficient reasons, it is for an applicant to show that they have suffered substantial prejudice by that alleged failure.¹² In this case, it is not entirely clear what prejudice the applicant claimed to have suffered.  However, the issue of alleged prejudice was secondary to the main point of the Court of Appeal's judgment – the takeaway point being that, when it comes to the adequacy of the reasons for a regulator's decision, the context is crucial.   

This article was originally published in the Litigation Newsletter of the International Law Office.

RPC acted for the respondent in the proceedings. Please contact Samuel Hung by email (samuel.hung@rpclegal.com) or by telephone (+852 2216 7138), if you have any queries regarding the general issues raised in this article.  

References

¹ Ng Shek Wai v Hong Kong Institute of Certified Public Accountants [2021] HKCA 1920, 20 December 2021.
² For example, Keung Kin Wah v Law Society of Hong Kong [2021] 5 HKLRD 413, 8 November 2021 and Capital Rich Development Ltd v Town Planning Board [2007] 2 HKLRD 155.
³ [2021] HKCFI 46.
⁴ Supra note 1, at para 22.
⁵ Supra note 1, at para 22.
⁶ Capital Rich Development Ltd v Town Planning Board [2007] 2 HKLRD 155.
⁷ Supra note 1, at para 24.
⁸ Supra note 1, at para 25.
⁹ Supra note 1, at para 30.
¹⁰ Supra note 1, at para 34.
¹¹ Supra note 1, at para 35. Also see Keung Kin Wah v Law Society of Hong Kong [2021] 5 HKLRD 413, at para 42.
¹² Supra note 1, at paras 37-39.

For more information, or to discuss any of these takeaways further, please do not hesitate to contact us or visit our corporate crime page to find out how the team can help.

The Perimeter Report is intended to clarify some of the complexities about what the FCA does and does not regulate. It also sets out some areas where the FCA sees potential for customer harm.

Here are some of the key takeaways from the report for the insurance market:

1. Appointed representatives (AR) - the FCA intends to intensify its scrutiny of all principal firms, and applicants which intend to appoint ARs. The FCA also notes that in a pilot study on AR applications, 50% of applicant firms intending to appoint ARs either withdrew their applications or their applications were refused.

2. Outsourcing - the FCA suggests that regulated firms have an increasing dependency on unregulated service providers (especially in technology and information systems) and reminds regulated firms that they need to:

• identify and manage their third party risks; and
• notify the FCA of critical, important or material outsourcings.

3. Operational Resilience - related to the point on 'Outsourcing' above, the FCA notes that while the new Operational Resilience rules do not apply directly to unregulated third party service providers (or to insurance brokers), the new rules will require insurers to work effectively with third party service providers to ensure that services can be mapped and tested to identify vulnerabilities.  In essence, this means that outsourcing agreements will need to include provisions ensuring that insurers can monitor, oversee and control where necessary, and take steps to address any vulnerabilities or issues in third party services.

4. The definition of insurance - The FCA notes that there is sometimes uncertainty on whether some products should be classed as insurance and that some in the market have attempted to structure products to be outside the regulatory remit when the FCA considers these products should properly be considered insurance. The two areas of concern outlined below are mentioned specifically by the FCA and the FCA also notes that it may be looking to update its guidance as a result (Perimeter / PERG):

• Discretionary products - some providers have sought to structure contracts so that claim payments are made on a discretionary basis in an attempt to circumvent the principle that an insurance contract requires an undertaking to pay money or provide a benefit to a recipient. In some cases the FCA suggests that such discretion could either be an illusion or in fact be considered an unfair term and questions whether in these cases, the contract should be categorised as insurance; and
• Warranty repair services - the FCA considers that many warranties which are mainly repair service contracts with a minor indemnity element are artificially described and in reality are insurance contracts.

5. BI Test Case - the FCA speaks about its role in the BI Test Case but also notes that it is aware of policyholders continuing to dispute coverage, causation and calculation of claims and policyholders pursuing these disputes in the court and at the Financial Ombudsman Service. The FCA further confirmed that it (together with the PRA) will be considering this over the coming year.

The multi-regulator report is useful as it not only sets out everything coming down the line from the regulators but it also makes it easier to get a complete picture of the various initiatives, who they affect and when they are happening. The dashboard tool and drilldown filter is also useful to navigate the information particularly as there 134 initiatives included in the report.

Here are a few high level comments from some of our regulatory team on the initiatives:

• Insurance – Jonathan Charwat
  
  There are nine specific initiatives aimed at the insurance market and as a sector accounts this only accounts for 7% of all initiatives across all sectors. However, as the insurance market will surely attest, this statistic does not give the full picture as ongoing initiatives on pricing practices, product governance and operational resilience are arguably going to be some of the most ground-breaking and significant regulatory change projects for the insurance market for some time.
  
  In addition, a good deal of the multi-sector initiatives listed in the report will also affect the insurance market (such as the initiatives on consumer duty, outsourcing and third party risk management, financial promotions as well as the data protection initiatives mentioned below). Finally, the report states that a consultation is pencilled in for early 2022 in respect of the ongoing review of Solvency II.
  
  

• Credit and Payments – Whitney Simpson
  
  Credit – There are 28 initiatives across the banking, credit and lending multi sector. This is double the amount (or almost) compared to the other single sectors contained in the grid.  One of the initiatives aimed at enhancing consumer protection and which has a high indicative impact on firms is the HM Treasury consultation on Buy Now Pay Later or Deferred Payment Credit products which runs until 6 January 2022.

Payments – The grid contains 12 initiatives which are aimed at promoting competition, innovations and protections in payments to improve the quality and security of services provided to consumers and businesses including, a consultation on updates to the Payment Services and Electronic Money Approach Document and Technical Standards, and Access to Cash legislation. One of the initiatives not included on the grid is the Payment Landscape Review as this review was concluded by HM Treasury on 11 October 2021. That's not to say the initiative has concluded though as to how HM Treasury plans to take forward the identified areas of focus is still to be determined.

A number of the multi-sector initiatives will also impact both of these markets so it’s a jam-packed regulatory landscape ahead.
 

• Data protection – Jon Bartley
  
  The grid includes an update on the recent activities of the Information Commissioner's Office, particularly the ICO's consultations on new guidance.  However, as almost all the ICO consultations were closed before the publication of the grid, these entries are not as helpful for organisations wishing to identify upcoming initiatives that they can contribute to. However, they provide useful flags of ICO initiatives, such as the Accountability Framework, which many organisations have used as a means of benchmarking their data protection compliance programmes. The guidance on international transfers is also an important development, with many FS organisations considering how to navigate data transfers post-Brexit, particularly when they are subject to both EU and UK GDPR.
  
  Arguably the most important recent development in data protection law has not been included in the grid, due to the fact that it is not an ICO initiative. However, the UK government is currently consulting on some material changes to the UK data protection regime in the post-Brexit landscape. The consultation, "Data: A New Direction", is open for responses until 19th November.

Now that the UK is no longer part of the EU – with the result that EU regulations no longer take direct effect in the UK – the UK has implemented its own sanctions regime.  The cornerstone of this is the Sanctions and Money Laundering Act 2018 (SAMLA).  

SAMLA

SAMLA empowers ministers to impose a variety of sanctions, falling into broad categories:

• Financial sanctions – such as asset freezing orders, orders preventing financial services or funds from being provided to or from sanctions targets, and proscribing ownership interests in sanctions targets;
• Immigration sanctions, applying restrictions under UK immigration law;
• Trade sanctions – the broadest category, preventing, amongst other things, the import/export of goods with origins in, or destined for, designated countries or with connections to sanctions targets; preventing technologies from being made available, and preventing services from being provided by or to sanctions targets;
• Aircraft and shipping sanctions, detaining or controlling the movement of designated vessels / vessels owned by designated people, and preventing the ownership/operation/registration of vessels owned by or chartered to designated persons, and
• 'Other' sanctions for the purposes of UN obligations – this is a 'sweeper' provision and it enables the relevant minister to impose such sanctions as he/she considers appropriate for the purposes of compliance with a UN obligation.

These sanctions can be imposed by reference to designated persons, persons connected with a prescribed country, or of a prescribed description and connected with a prescribed country. 

Plus ça change

In practice, despite the implementation of a 'new regime', there is a striking similarity between the list of individuals subject to sanctions by the UK and those subject to sanctions under the EU regime.  In its press release introducing the new UK regime, the government noted that 113 entries previously subject to sanctions under the EU-derived regime would no longer be subject to asset freezes under UK legislation, and a handful of UN listings, although still subject to a travel ban, would no longer be subject to financial sanctions.  However, in the context of a UK sanctions list that is 564 A4 pages long, this is very much a case of tinkering and minor adjustments rather than wholesale change.  Time will tell whether the UK's sanctions targets diverge further from the EU's list – but for now, it is very much a case of business as usual.

Sanctions in practice

For Part 1, on the top 5 corporate crime enforcement trends you need to be aware of, click here.

Sam Tate, Head of our White Collar Crime Team, and Lucy Kerr share their key expectations regarding the next steps in this process:

1. The long-standing "Identification Principle" will be the focal point of the review as it is the fundamental route to corporate criminal liability at present, whereby a company may only be held criminally liable through the individuals that represent its "directing mind and will".  

2. The Identification Principle has proven to be a great obstacle to the prosecution of companies in recent years (especially large ones) for economic crimes.  The failed prosecution of Barclays Bank by the Serious Fraud Office in 2018 will no doubt be a significant influence on reassessing this area of law, where even the CEO and CFO of Barclays Bank did not constitute the company's directing mind and will. 

3. There has, nonetheless, already been some significant movement in the law on corporate criminal liability in the last decade with the introduction of the offences of: (i) failing to prevent bribery under the Bribery Act 2010; and (ii) failing to prevent corporate tax evasion under the Criminal Finances Act 2017.  

4. The House of Commons Treasury Committee report in March 2019 urged reform to the existing economic crime law, so it is anticipated that a new wider "failure to prevent" offence will be a key option put forward by the Law Commission. However, the mechanics of any such offence for new categories of economic crime, such as fraud, will need to be approached with caution. Unlike bribery, the corporate is often the victim of a fraud offence at the hands of its employees, rather than being a beneficiary. In addition, for money laundering offences any adequate procedure defence will need to dovetail with FCA requirements or risk creating confusion and unnecessary complexity. Getting these and other issues right will be important to avoid burdening companies with unwieldy regulation as they adapt to the twin impacts of COVID19 and Brexit.

5. The publication of the Law Commission report is not expected until late 2021.  Therefore, whatever options are put forward, we expect that any changes to the law will be slow to appear and not occur until 2022 or even later.

1. Admissions of guilt: The guidance confirms that a company entering into a DPA is not required formally to admit guilt in respect of the offences charged in the indictment, albeit it will need to admit the contents and meaning of key documents referred to in the Statement of Facts that accompanies the DPA.
2. Approach to cooperation and privilege: Cooperation with the SFO remains a key priority for the SFO in considering whether to offer a DPA (and when it comes to deciding on the discount to be offered in relation to any financial penalty). Cooperation is confirmed to include the well-established steps of self-reporting the wrongdoing to the SFO, taking remedial action and preserving evidence, amongst others. The guidance also reinforces the SFO's longstanding view that waiving privilege over material is considered to be a significant sign of cooperation (although the guidance confirms that a company cannot be penalised for maintaining privilege). 
3. Identification of third parties: The guidance indicates the SFO may intend to move away from its previous habit of identifying individuals in DPAs, aligning itself more with the approach of the Financial Conduct Authority, which maintains anonymity for third parties in its public enforcement notices. The guidance highlights that consideration must be given to compliance with the Data Protection Act 2018 and the European Convention on Human Rights when considering whether to identify third parties in a DPA. Therefore, we expect more anonymisation for individuals in future DPAs. 
4. Financial penalty: The guidance acknowledges that calculating the profit made by a company as a result of the wrongdoing (which forms the basis for any disgorgement payment and/or financial penalty) may not be a "straightforward exercise" and the guidance observes that accountancy advice may be helpful to companies.  
5. Discounts: The guidance confirms the established principle that any discount on a financial penalty under a DPA should be comparable to a fine imposed as a result of a guilty plea in a prosecution. The guidance goes on to acknowledge the precedent that has been set in the majority of previous DPAs for awarding a 50% discount in recognition of the level of cooperation habitually offered to the SFO. 

To access the SFO's guide to its approach to DPAs, click here.

For more information, or to discuss any of these takeaways further, please do not hesitate to contact the us or visit our corporate crime page to find out how our team can help.

The Government has followed up with two further, temporary legislative exemptions from the Chapter I prohibition under the Competition Act 1998, one being for health services in Wales (following a similar exemption for England) and the second for the dairy sector. 

The dairy industry's specific Covid-19 challenges have been well-documented, particularly the impact of decreased demand from the hospitality sector with farmers having to pour milk away. The purpose of the three-month exemption is to enable collaboration between dairy farmers and producers in order to avoid/minimise surplus milk being wasted and the consequent environmental harm of disposing of large volumes of milk and also to maintain milk production capacity for the future. Collective efforts to identify processing opportunities to produce storable milk products, such as butter, cheese and skimmed milk powder will be permitted, along with the sharing of labour and facilities.  Any co-ordination regarding a temporary reduction of milk products will also be permitted, provided that the object is not to exclude a dairy produce supplier from the market. However, in common with the other Covid-19 related Chapter I exemptions, it is made clear that the exemption does not apply to any arrangement involving the sharing of pricing or costs information.

One of the conditions for exemption under the various Exemption Orders is that the relevant agreement is duly notified to the Secretary of State. On 21 May 2020, the Government published its register of such agreements for the first time. Although it was too soon to cover agreements in the dairy sector, the register lists three notifications in relation to health services for patients in England and Wales, two in respect of Solent maritime crossings and thirteen in the groceries sector.

CMA's Covid-19 Task Force

The CMA has published its second Covid-19 Task Force update. It has received 60,000 contacts since it was set up. Whilst the majority of the complaints received initially related to price increases (with the price of hand sanitiser and paracetamol topping these complaints), since mid-April the majority of complaints have been about unfair practices relating to cancellations and refunds. The Task Force has now added package holidays to its initial priority sectors for investigation about possible breaches of the law, namely: holiday accommodation; weddings and events; and nursery/childcare providers. About a fifth of cancellation/refund complaints have related to airlines and these have been passed to the CAA.  The Task Force has also written to 264 businesses, which combined represent approximately a third of the actionable complaints about unjustifiable price rises.

European Commission's First Comfort Letter

In addition to highlighting its general guidance, publishing its Temporary Framework providing guidance on the competition law compliance assessment of  business cooperation in response to "situations of urgency" due to the COVID-19 pandemic and offering ad hoc guidance to businesses and trade associations,  the European Commission had stated that, in exceptional circumstances, it would consider providing a more formal 'comfort letter'.

It has published its first such letter confirming to Medicines for Europe ("MFE") that the proposed co-operation in relation to COVID-19 medicines does not raise competition concerns under Article 101 of the TFEU. The European Commission was satisfied that the purpose of the co-operation was "to expeditiously and effectively increase supply and production of urgently needed COVID-19 medicines" and that the co-operation was necessary to achieve this. MFE has accepted certain conditions, namely:

• the co-operation is open to any pharmaceutical manufacturer whether or not it is a member of MFE;
• all meetings will be minuted and copies of any agreements entered into as part of the co-operation will be provided to the European Commission;
• the exchange of confidential information will be limited to what is indispensable for achieving the objectives and will be collated by the MFE or third party appointed by it and shared on an aggregated basis; and
• the co-operation will be of limited duration, i.e. only whilst the risk of shortages remains.

In addition, the European Commission has made very clear that the comfort letter does not cover any pricing discussions and is also subject to the co-operation participants not increasing their prices beyond what is justified due to any increases in their costs.

The Order also amends Article 39H to state that the exclusion for lenders in relation to debt collecting does not apply to lenders of BBL scheme loans. This means that the instrument allows for the existing regulatory regime to continue to apply to lenders who carry on debt collecting activity in relation to loans under the BBL scheme.  This amendment is a transitional provision and only applies to loans entered under BBL scheme.

The instrument has been made to remove certain legislative obstacles which could inhibit the granting of loans by lenders to small businesses under the BBL scheme. Before this instrument was put before Parliament, the BBL scheme might otherwise have fallen within scope of the UK's regulated consumer credit regime and needed to comply with the prescriptive requirements of the Consumer Credit Act 1974.

This is another development relating to the UK's Coronavirus Business Interruption Loan ("CBIL") Scheme and the new BBL scheme. The FCA published a statement setting out its approach to these two schemes on 4 May 2020.

The FCA clarified that it doesn't expect firms who comply with the relevant requirements of CBIL and BBL schemes, to comply with the rules in the Consumer Credit sourcebook that relate to creditworthiness assessments (CONC 5.2A – 5.2A.34) where the lending is regulated. However, in respect of all other regulated lending, firms must still undertake a reasonable assessment of a customer's creditworthiness in line with CONC 5.2A.

The statement also provided clarity on the Senior Managers and Certification Regime for relevant individuals in authorised firms involved in the CBIL scheme.  The FCA explained that it intended to give similar clarity on the BBL scheme upon launched.

Finally, the FCA made comments on financial crime risks stating that for existing customers where a firm has already carried out appropriate due diligence, it would not need to make further checks (unless the customer poses a higher risk).  However, for new customers the risk may be slightly higher and so firms should carry out the normal CCD processes, but firms has discretion to decide on a simplified due diligence is the risks are low and it is appropriate. 

For more information, on the CBIL and BBL schemes, please see earlier Big Deal blog posts written by Sukh Ahark and Lauren Murphy.

Over the last month, the CMA has focused its statements and guidance on reassuring businesses as to its approach to co-operation between competitors which is necessary during the pandemic to ensure security of supplies of essential goods and services and to warn against businesses seeking to profiteer from the crisis.

However, the CMA is also aware that pressures arising from the crisis "could have a material impact on its merger control work" and has now issued guidance on its approach to merger assessment during the pandemic.

What can businesses do?

They can coordinate action on a temporary basis where this action:

• is appropriate and necessary to avoid a shortage or ensure security of supply;
• is clearly in the public interest;
• contributes to the benefit or wellbeing of consumers;
• deals with critical issues resulting from the pandemic crisis; and
• lasts no longer than is necessary.

On this basis, provided that the co-ordination does not go beyond what is necessary, there is unlikely to be a competition law concern arising from co-ordinated action to:

• avoid a shortage or ensure security of supply;
• ensure a fair distribution of scarce products;
• continue essential services; or
• provide new services, such as food deliveries to vulnerable consumers.

What must they not do?

They should not exploit the current situation either through using the crisis as cover for illegal collusion or by profiteering and charging inflated prices, as has been seen with much sought-after hand sanitisers; as previously reported, the CMA has set up a task force to monitor developments.

Specifically, the CMA has made it clear that business should not:

• exchange commercially sensitive information about future pricing or business strategies;
• exclude smaller rivals from efforts to co-operate/collaborate to ensure security of supply or denying rivals access to supplies/services;
• collude to keep prices artificially high in order to mitigate falling demand; or
• co-ordinate beyond the scope of what is necessary.

What about businesses in the financial services sector?

The Financial Conduct Authority and the Payment Systems Regulator, as concurrent competition regulators with the CMA, have confirmed that they are supportive of the CMA's guidance and will take a consistent approach to their competition law enforcement activities in the financial services sector.

Need further guidance on whether your initiatives comply with UK or EU competition law?

The CMA intends to keep its guidance under review and update it, if necessary. It has also indicated a willingness to provide additional, informal guidance (subject to resourcing constraints) where, despite the guidance, businesses and their legal advisors remain 'genuinely uncertain' about the legality of proposed actions and the matter is 'of critical importance'.

The European Commission has also announced that it has set up a dedicated mailbox for companies seeking informal guidance on the compatibility of their specific co-operation initiatives with EU competition law.