Executive Summary

In this edition of the UK Enforcement newsletter, we provide an update on recent economic crime matters in the UK. We consider anticipated legislative and regulatory updates, as well as recent enforcement actions by the Serious Fraud Office (SFO), the Financial Conduct Authority (FCA), and the Financial Reporting Council (FRC).

With respect to legislative and regulatory reform and enforcement actions, we consider the following:

• The future of the Serious Fraud Office
• The Economic Crime and Corporate Transparency Act (the ECCT Act), which has received royal assent
• Enforcement updates regarding crypto assets
• Recent Financial Reporting Council (FRC) enforcement actions
• Recent developments within the UK financial sanctions regime
• Proposals to update the Anti-Money Laundering and Counter Terrorist Financing (AML) supervisory regime across the UK

As part of our social commentary, we consider the impact on UK businesses of the U.S. Supreme Court decision on affirmative action with respect to diversity, as well as the championing of the LGBTQ+ community by General Counsel for Diversity and Inclusion.

Future of the Serious Fraud Office

Ushering in a new era for the SFO, Nick Ephgrave QPM, former assistant commissioner of the Metropolitan Police Service, began his tenure as the new Director of the SFO on September 25. Ephgrave is the first police officer and first non-lawyer to take over the agency, for an initial five-year term. Following former Director, Lisa Osofsky's turbulent tenure, which saw the collapse of key cases and failure to prosecute directors of large corporations, Ephgrave inherits an SFO facing serious challenges, uncertainty, and change.

A challenge that has plagued the SFO in recent years is the issue of disclosure. The collapse of the trial of individuals related to Serco Geografix Limited (Serco), where the SFO failed to prosecute two of the company's former directors, is a notable example of the SFO's failures. The former Serco executives were acquitted following the court's rejection of the SFO's application for adjournment while the SFO rectified its disclosure issues. In similar fashion, the SFO failed to prosecute its case against former G4S executives after a decade-long investigation, noting that the complex disclosure issues would take too long to resolve. As described in the SFO's Implementation Update of May 2023, the SFO has committed to reviewing its internal procedures to introduce standardized methodologies for the disclosure process, with the view to updating them at least once every six months to ensure their effectiveness.

The government has also taken notice of the problems around disclosure and in October 2023 launched an independent review of disclosure and fraud offenses as part of its commitments in the Fraud Strategy published in May 2023. The review, alongside examining whether the fraud offenses and penalties are appropriate for modern crime, will assess the disclosure regime and consider whether it is suitable for the digital age. In particular, it will focus on crimes such as fraud that can create substantial amounts of digital material, making significant demands on investigations and prolonging the time it takes to bring cases to court. With disclosure having been a problem that has resulted in a number of the SFO's failures to pursue cases, it will be interesting to see the review's recommendations and Ephgrave's approach to managing disclosure, as well as whether either or both is sufficient to change the SFO's poor track record on disclosure.

Adding to the questions of the future of the SFO, at the Labour Conference in October 2023, Shadow Chancellor of the Exchequer Rachel Reeves announced a policy that would see a Covid Corruption Commission appointed. The commission would have the power to use the combined forces of various government agencies, such as the SFO, HM Revenue and Customs (HMRC), and the National Crime Agency, to recover some of the loss to the taxpayer caused by Covid fraud, which Labour estimates at £7.2 billion. Should Labour come into power after the general election next May, this could see the SFO working closely with other agencies, and could significantly increase its existing caseload. It will be interesting to see how the agencies collaborate and how much of the burden is shouldered by the SFO, given that its resources are already stretched.

Alongside any new direction that Ephgrave brings to the role of Director, the success of the SFO in the coming years will also depend on the funds made available to it. The SFO needs to ensure that it offers competitive remuneration in order to recruit and retain talent, but whether its budget will allow for this without compromising other parts of the SFO's work is questionable. The competing funding priorities of the SFO will be yet another challenge for Ephgrave to tackle, and it is imperative that the government commit to a funding increase to ensure that the SFO can fulfill its purpose to investigate and prosecute the top-tier of fraud, bribery and corruption cases, especially as there will be more offenses falling under its remit with the enactment of the ECCT Bill.

The ECCT Act receives royal assent

The Economic Crime and Corporate Transparency Act received royal assent on October 26 and is now expected to come into force during 2024. Numerous changes are being introduced by the ECCT Act, with two of the most impactful of these changes being: (1) the introduction of new "failure to prevent" offenses with respect to fraud and false accounting and (2) the extension of the identification doctrine, allowing for easier prosecution of companies.

The introduction of new "failure to prevent" offenses for economic crime has long been mooted, and with the ECCT Act we are seeing the introduction of these offenses with respect to fraud and false accounting. These new offenses shift the focus on companies as victims of fraud to being held responsible for failing to prevent fraud committed by their employees or agents where that fraud benefits the corporate or persons to whom the corporate provides services. A defense of reasonable procedures is provided for, which will make it necessary for companies to look at their current policies and procedures to ensure that they are also considering the risks of fraud within their business.

The new failure to prevent offenses will be limited to large companies and partnerships (including charities) who meet two of the following conditions in the financial year prior to the offense: (1) more than 250 employees; (2) more than £36 million turnover; and/or (3) assets of more than £18 million. This restriction was removed by the House of Lords during the passage of the ECCT Act, with the intention that the offense would apply regardless of the size of the company. However, the government argued that smaller businesses should not be burdened with a requirement to put in place reasonable procedures to prevent fraud, and the application to only large enterprises has been reinstated.

Additionally, a failure to prevent money laundering offense was added to the draft legislation in the House of Lords and its potential inclusion has been hotly debated, with the government ultimately rejecting the amendments. The failure to prevent money laundering offense was intended to cover five money laundering offenses under the Proceeds of Crime Act 2002 (POCA), where such offenses are committed by an associated person with the intent of benefitting the company or persons to whom the company provides services. The government's view on this offense is that it is unnecessary as POCA and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) already provide for prosecution of companies who fail to prevent money laundering, and its creation may adversely impact and cause confusion with the current legislation.

Elsewhere within the ECCT Act, the changes to the identification doctrine are intended to address the criticism that has arisen regarding the difficulty of holding large companies accountable for their involvement in financial crime as a result of the "directing mind and will" test. Under this common law test, criminal liability can be established for a corporate if the directing mind and will of the company is involved in criminality. However, due to the setup of modern businesses, it is often difficult in large organizations to establish corporate criminal liability on this basis.

Under the ECCT Act, the common law test for corporate criminal liability for economic crime will be replaced by a statutory test which holds companies responsible for actions taken by "senior managers," who are identified as individuals who play a significant role in: (1) making decisions about activities of the business or (2) managing or organizing those activities. This is a significant expansion of the individuals who can create corporate criminal liability for their employer and is expected to make it easier to hold companies accountable for the behavior of their employees. The economic crime offenses for which this new identification doctrine will apply include money laundering, proceeds of crime offenses, primary bribery offenses, tax offenses, fraud, some offenses under the Financial Services and Markets Act 2000 (FSMA), market manipulation, terrorism, and sanctions offenses.

The ECCT Act is intended to strengthen the UK's ability to fight fraud and other economic crimes by increasing the likelihood of companies being held liable for the actions of their employees. As with all new offenses and new legislation, it will take at least a few years for behavior that will create liability under the failure to prevent fraud and false accounting offense or the revised identification principle to be investigated and prosecuted, but in the interim it is imperative that impacted companies ensure that they have reasonable policies and procedures in place to prevent fraud and false accounting, as well as ensuring that their senior management are behaving as they should.

Recent actions by the FCA on crypto assets

FCA activity over the past few months serves as a reminder of how the regulator's existing registration powers can be used to protect consumers and the market from high-risk products, which can be followed up with enforcement action where required.

Under the MLRs, since January 2020, businesses wishing to carry out crypto asset activity in the UK have been required to register with the FCA and to comply with the requirements of the MLRs. This requirement for registration extends to crypto-ATMs, which are "ATM" type machines allowing people to buy or convert money into crypto assets. However, to date the FCA has not registered a single crypto-ATM, which means that all crypto-ATMs currently operating in the UK are doing so illegally. It is likely that this is due to concerns that crypto-ATMs lack proper controls and that such ATMs are ripe for use by criminals looking to convert illegally obtained funds into crypto assets, in violation of the money laundering rules. Since the start of 2023, the FCA has used its powers to inspect 34 locations across the UK suspected of illegally hosting crypto-ATMs and is in the process of reviewing evidence collected during these visits to consider whether further action is warranted.

Beyond crypto-ATMs, the FCA has also been slow to allow the registration of cryptocurrency firms under the MLRs. Earlier this year, the Treasury Committee published statistics showing that approximately 85% of crypto asset firms who applied for registration with the FCA have been rejected due to a failure to demonstrate they meet the minimum standards required. In a small number of cases, the FCA identified likely financial crime links but found more general issues across the spectrum of firms that had applied for registration, including that key personnel lacked the appropriate skill and experience to effectively control the money laundering risks associated with crypto assets. As with crypto-ATMs, the FCA is able to enforce against any firms which remain operational without being registered and ultimately will seek to remove these operators from the UK market.

In June 2023, the UK government passed the Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023. This came into force on October 8 and brought crypto assets within the scope of the rules governing the promotion of financial products in the UK. Since this date, the general rules relating to financial promotions have applied to crypto assets. As such, crypto promotions, including those on websites, apps, and social media will need to: (1) be authorized by the FCA; (2) be approved by a person authorized by the FCA; or (3) fall within a statutory exemption. The FCA has already taken action under the new financial promotion rules, issuing 146 alerts regarding crypto asset promotions on the first day of the new regime (October 8, 2023). This was followed up a few days later with the FCA announcing restrictions on rebuildingsociety.com, prohibiting it from approving crypto asset financial promotions.

With the new legislation giving the FCA more powers to regulate crypto assets, we can expect to see continued activity in the area of crypto asset enforcement in the near future. However, it is worth remembering that even without this new legislation, by exercising its registration powers cautiously and stringently, the FCA has been able to act as gatekeeper of the crypto industry in the UK and protect consumers from potential harms associated with this high-risk sector.

Recent FRC enforcement actions

Earlier this year, we wrote about the growing strength of FRC enforcement actions. Since this time, the FRC has continued to flex its powers, reporting record numbers of cases being resolved, sanctions of the highest level being imposed, and significant improvements to timely enforcement action. While recent press reports suggest that the FRC's proposals for audit reform are to be delayed, it is clear that enforcement will remain a priority for the regulator.

In terms of recent enforcement actions, since June of this year, the FRC has announced sanctions against KPMG, PwC, and Mazars LLP (Mazars). KPMG was fined £1.35 million (discounted to £877,500 for admissions and early disposal) for failures in its audits of Eddie Stobart Logistics plc (ESL). Specifically, KPMG failed to obtain sufficient and appropriate audit evidence with respect to ESL's property transactions to allow revenue to be properly recognized. PwC was sanctioned on the same day, also with respect to ESL, with a fine of £3.5 million (adjusted to £1.99 million for exceptional cooperation, admissions, and early disposal). The FRC found further serious failings regarding KPMG's audits of ESL's property transactions. Partners from both of the auditors were sanctioned in their individual capacities for their respective failings. Combined, the audit failings resulted in ESL overstating its profits by £2 million.

In August, Mazars was fined £90,000 with respect to wide-ranging failings of an unnamed listed company. Although the failings have not been itemized, the FRC noted that the most significant failing was the incorrect classification of convertible loan notes, resulting in a material misstatement which was not identified by Mazars until after the audit. This demonstrated a lack of quality control. The sanction against Mazars was reduced to £72,000 due to cooperation and certain admissions.

In October, KPMG was fined again, this time in relation to audits of Carillion which collapsed in January 2018. This fine was the largest ever issued by the FRC, at £21 million (reduced from £30 million on the basis of admissions and cooperation). The FRC has called this case a "textbook" failure, noting that KPMG failed to challenge Carillion management and lost objectivity in conducting its audits. As is increasingly common, the main audit partner was also fined.

Themes emerging from the FRC's recent enforcement actions include the significance of cooperation at an early stage, and where appropriate, making early admissions. The FRC has not shied away from holding auditors accountable in their individual capacities. It seems that recent enforcement actions have not only been about imposing sanctions in particular cases, but also to deter irresponsible and non-compliant auditing in the market more broadly. While it remains to be seen whether the FRC will continue with reforms intended to enhance its powers of enforcement, it is clear that the FRC is using the tools currently at its disposal efficiently and effectively.

Recent developments in the UK financial sanctions regime

In our last update, we marked the one-year anniversary of Russia's invasion of Ukraine and noted that the milestone provided an opportunity for countries to restate their commitment to the sanctions program as a means of discouraging Russia from continuing its offensive. The changes that have taken place since that update was published show that governments are following through on these commitments, and that there continues to be developments in this area which businesses should be aware of.

New laws have been passed in the UK to bolster the sanctions against Russia. In June, legislation was updated to include "seeking compensation for Ukraine" as a legitimate purpose for the sanctions program. In effect, this means that the sanctions could remain in force well beyond the end of the war and until such time as any compensation paid to Ukraine is deemed adequate. The UK government has also introduced legislation to prevent Russia from accessing the UK's legal services to facilitate certain commercial activity benefitting Russia. In practice, this could prevent UK lawyers from advising even international, non-Russian companies on decisions relating to Russian businesses. Notably however, in August, the UK government issued a general license that permits the provision of legal advice relating to compliance with any nation's sanctions regulations, subject to notification.

In addition to action targeted at Russia, the UK has imposed further sanctions against the Belarusian regime in recognition of Belarus' role in facilitating the invasion. These sanctions include export bans on sources of revenue to Belarus, imposing measures aimed at preventing sanctions circumvention in Belarus, and empowering the UK government to sanction a broader range of people who facilitate the operation of the Belarusian regime.

Beyond updates to the legislative framework, in recent months there have been signs of increased international cooperation in the implementation of sanctions against Russia. For example, in June, the UK and U.S. sanctions regulators, Office of Financial Sanctions Implementation (OFSI) and Office of Foreign Assets Control (OFAC), published a joint fact sheet on humanitarian assistance and food security in relation to the Russian sanctions. The fact sheet clarified that both the UK and the U.S. prioritize applications for licenses where there are humanitarian issues at play and confirmed that generally, U.S. and UK financial institutions can process transactions relating to the export of agricultural commodities, medicine, or medical devices to and from Russia. More significant than the guidance itself was the fact that this was the first fact sheet jointly published by OFSI and OFAC since they announced a plan for enhanced partnership last year. Again, this shows that governments are following through on commitments made in the sanctions sphere.

Until recently, OFSI had not carried out any enforcement actions with respect to breaches of the Russia sanctions. On August 31, it publicly disclosed that Wise Payments Limited, a UK-based foreign exchange company, had breached financial sanctions in allowing a cash withdrawal of £250 by a designated person in June 2022. OFSI considered that, although the breach was of a low value, the systems and controls failings that allowed continued use of debit cards made the case moderately severe overall. Although no fine was imposed, the publication of the breach was intended to act as a cautionary tale for other companies. In conjunction with publishing the breach, OFSI updated its guidance on Monetary Penalty and Enforcement setting out how it will impose penalties against breaches of varying severity, and when it will publicize breaches where no fines have been imposed.

Given the amount of time it has taken from the identification of a breach to the imposition of penalties, we can expect OFSI enforcement actions in relation to the new Russian sanctions to come to light over the next year. It is only then that we will get a sense of the real impact of the sanctions, but what is telling from the disclosure made regarding Wise Payments Limited is that there clearly is an appetite for enforcement.

Proposals to update the AML supervisory regime across the UK

In late June 2023 HM Treasury published a consultation paper on the reform of the UK's AML supervisory regime with the purpose of increasing effectiveness and streamlining supervision. The consultation paper proposes four models for the future of the AML supervisory system.

Currently, in addition to the three statutory supervisors — the FCA, the Gambling Commission, and HMRC — there are 22 professional body supervisors (PBSs) responsible for monitoring compliance with the MLRs in the legal and accountancy sectors. This diversity of PBSs is a result of different categories of accountants having individual regulators (such as separate regulators for chartered accountants, bookkeepers, tax specialists, etc.), as well as both accountancy and legal sectors having separate PBSs for England and Wales, Scotland, and Northern Ireland. The 22 PBSs are in turn monitored by the Office for Professional Body Anti-Money Laundering Supervision (OPBAS), which sits within the FCA and is responsible for ensuring that the legal and accountancy PBSs are supervising their sectors effectively. This large number of supervisors has led to inefficiencies and difficulties in ensuring a consistent application of the AML framework across the regulated sector, which the four models proposed by HM Treasury seek to alleviate.

Firstly, under the "OPBAS+" model, the current structure would be maintained, with OPBAS being granted additional supervisory powers, including the ability to publicize supervisory interventions (to increase transparency across the 22 PBSs) and to fine the PBSs for supervisory failings. This is the least intrusive model to implement as there would be no change to the remit of any of the current AML supervisory bodies, although it is also least likely to have the desired impact of consolidating the AML approach across sectors.

Secondly, the "PBS Consolidation" model would leave either two PBSs to cover the legal and the accountancy sectors, or, more likely, six PBSs — one PBS for each sector in each of the three UK jurisdictions.

Thirdly, under the "Single Professional Services Supervisor (SPSS)" model, there would be consolidation of all 22 PBSs into an SPSS for the accounting and legal sector. This model is distinguished from the PBS Consolidation model as the SPSS would have the same statutory powers as the FCA and HMRC have under the MLRs, and as a result, this model points to the creation of a new SPSS that would be a public body, rather than increasing the powers and scope of supervision of one of the current PBSs.

The final model would be for a single dedicated AML supervisor that would replace all of the current supervisory bodies, including the FCA, HMRC, and the Gambling Commission. It is argued that this supervisor would have no competing organizational priorities and would be better placed to ensure a consistent approach to supervision and enforcement. While a single regulator may be able to ensure greater consistency within its own enforcement actions, this model runs the risk of losing the sector-specific knowledge that the various current AML supervisors have, given the particular AML risks that impact, for example, the financial sector in comparison to the gambling sector and the other regulated sectors.

The deadline for feedback on the consultation for the proposed reforms to the UK's AML supervisory regime closed on September 30, and a policy statement is now expected in the first half of 2024. While it is clear that some reform of the AML supervisory regime is to be expected, it will remain to be seen whether the government has the appetite for a significant overhaul of this sector.

Social Commentary

U.S. Supreme Court ruling on affirmative action and what it means for UK businesses

On June 29, the U.S. Supreme Court ruled that race-conscious admissions policies at Harvard University and the University of North Carolina were unconstitutional. The decision dealt a significant blow to the policy of affirmative action, otherwise known as positive discrimination, which has been adopted by some higher education institutions as a means of improving diversity by allowing race to be considered a relevant factor during university admissions processes.

The Supreme Court ruled that race-conscious admissions policies violated Title VI of the 1964 Civil Rights Act, which bars discrimination based on race, color, or national origin. However, the ruling was limited in two important respects. Firstly, it did not prohibit universities from considering an applicant's discussion of how race has affected their life, for example, by discussing race-related challenges they have faced in their admissions essay. Secondly, the decision is limited to university admissions and does not directly impact, for example, workplace diversity and inclusion programs. That said, political groups have already hinted that workplaces deploying affirmative action initiatives should brace themselves for similar legal challenges in the future.

Despite being a U.S. decision handed down by a U.S. court, the impact of the ruling has been felt at an international level and there are potential knock-on effects for UK companies. Firstly, UK companies with an international presence may encounter greater difficulties in achieving racial diversity, particularly in U.S. offices. Although workplaces are not directly impacted, a reduction in the number of diverse students accepted to U.S. universities will inevitably lead to a smaller pool of diverse candidates for graduate-level jobs. On top of this, there are concerns that corporate counsel will begin scaling back diverse hiring programs, or being less vocal about such policies, in fear of being targeted in future lawsuits.

Secondly, UK companies may begin to give more careful consideration to the legal basis of their own diversity programs in the UK. Ultimately, the UK regime is already more restrictive than the pre-ruling U.S. position when it comes to considering diverse characteristics in decision making. UK law does not allow candidates from underrepresented groups to be preferred to better-qualified candidates and it is only in certain "tie breaker" situations that diverse characteristics can be taken into account in reaching admissions or hiring decisions. However, UK institutions remain under pressure from employees, stakeholders, and the public at large to improve their diversity statistics, and the bar on positive discrimination in the UK is sometimes criticized for slowing the pace of change. The recent U.S. legal action, and the prospect of more to come, will mean that litigation risks remain at the forefront for companies grappling with the need to become more diverse against a backdrop of restrictive legislation.

Looking forward, the U.S. Supreme Court's ruling is unlikely to be the final word on the matter. The decision leaves room for debate about the extent to which diversity can inform a broader assessment of a candidate and, as already discussed, there are further challenges to workplace diversity programs expected. In the meantime, it is important for UK companies to consider how best to ensure a continued pipeline of diverse candidates while remaining compliant with relevant legislation.

General Counsel join together to champion the LGBTQ+ community

In early September, the General Counsel for Diversity and Inclusion group (GCD&I) launched "OUT@work," a program aimed at enhancing equity and inclusivity for the LGBTQ+ community in the workplace.

The program aims to be a LGBTQ+ talent development initiative across the legal industry through two core purposes: (1) making the workplace more equitable and inclusive for the LGBTQ+ community and (2) providing the community with tools for growth, development, and visibility. Participants of the program will be invited to attend various meetings, activities, and group sessions which will provide actionable, meaningful tips to encourage development in this area. The GCD&I has noted that mentorship within the community will be an important part of the program, both in terms of demonstrating authenticity as a LGBTQ+ role model and by way of emphasizing the power of allyship.

The GCD&I was established in 2019 by various in-house counsel at major corporations in order to promote diversity, equality, and inclusion (DEI) in the legal sector. While some of its work focusses on DEI within the in-house legal industry, one of its stated missions is to effect change in the way that in-house counsel engage with law firms in order to promote DEI within private practice and more widely across legal services. As with many initiatives, change is often data-led in order to provide context and drive accountability. The GCD&I relies on standardized metrics to help measure progress, which it then uses to initiate collaborative projects such as OUT@work in collaboration with others in the legal industry.

For some time now, in-house counsel have required the law firms that they use to share diversity data and DEI commitments. It appears that, notwithstanding the U.S. Supreme Court's decision referred to above, in-house counsel remain focused on broadening the talent pool available to them and implementing measures to ensure that diverse candidates are able to progress within not only their organizations, but within the legal community at large.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.