Cross-Border White Collar Crime and Investigations Review

The Russian invasion of Ukraine, and post-pandemic pressures, have led to increased pressure on supply chains. Business pressure to find solutions can inadvertently lead to behaviours that fall foul of laws on bribery and corruption, financial sanctions, terrorism financing, eg for making payment to groups for safe passage of goods in certain territories. Enhanced expectations and, in some countries, specific supply chain due diligence laws mean that such misconduct is less likely to go unnoticed.

How you should respond – Make sure that commercial knowledge on pressure points is shared with those who have responsibility for providing risk-based training and guidance on policies and procedures. To mitigate those risks, identify areas/personnel of higher risk based on current events, geographies, and check the local controls and oversight of those controls. Some compliance functions have been stretched due to diversion of resource to sanctions‑related matters and budgetary constraints. Check that those who remain have the necessary skills and expertise, and time, to adequately support effective compliance. Both the U.S. Department of Justice and the UK Serious Fraud Office are increasingly focusing on resourcing and capability of the compliance function when evaluating a corporate compliance programme.

Expect increased scrutiny of corporate behaviour. Higher standards and expectations on corporate accountability have manifested in different ways across the globe. The direction of travel is firmly towards increased scrutiny of corporate behaviour regarding the environment, people working in, and impacted by, all parts of a company’s value chain (including third party suppliers) and employees. In addition, pressure is being exerted by a broader range of stakeholders. Activist shareholders, employees, employees of third party suppliers, local communities and others are using both litigation and reputational levers to hold companies to account for environmental harms and human rights violations. Belgium is likely to be the first European country to introduce a criminal offence of ecocide. The French courts have been upholding unprecedented indictments against companies for aiding and abetting war crimes and crimes against humanity. 2023 will be marked by the development of a wide array of new sustainability obligations for companies operating in the EU.

How you should respond - Prevention is the best medicine so companies should check that compliance and whistleblowing procedures are working as intended – the ongoing implementation of the EU Whistleblowing Directive means that this is an area of focus for many EU Member States. If misconduct is suspected, any internal investigation should be carefully structured to take into account the very real risk of follow-on civil or criminal litigation and regulatory action. Many whistleblowers that communicate with government regulators have first raised concerns internally and not felt their concerns have been adequately addressed. A measured and proportionate whistleblowing response and internal investigations programme may help identify and stop misconduct before external stakeholders are aware. 

The use of intermediaries remains a high corruption risk. Almost all FCPA and other corruption cases involve the use of third parties or intermediaries to make corrupt payments. The true purpose of the payments is invariably disguised, such as in improper mark‑ups, poorly defined “service fees,” or other schemes designed to evade a company’s internal controls. Bribery and corruption remain high on many existing enforcement authorities’ agendas and those of new ones, eg the new Australian Anti-Corruption Commission. 

How you should respond - Companies must ensure that their policies and procedures around the hiring of, and commercial terms with, business partners are properly implemented and reviewed on a regular basis to reflect the business as it evolves. Commercial pressures should not be allowed to trump adequate due diligence. Compliance and finance functions need to be properly resourced with staff with the right level of experience and seniority. Not only will this help prevent misconduct, but it will also be a mitigating factor should there be any enforcement action. Data analytics offer insights to drive compliance programmes, and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively to: (i) save time and cost; and (ii) inform the design, implementation and effectiveness of compliance programmes.

Expect continued scrutiny of how corporate culture and compliance interact. Recent enforcement suggests that merely having policies and procedures in place, even if externally certified, will not necessarily be adequate either to prevent financial crime in an organisation or to provide an ‘adequate procedures’ defence for a company faced with prosecution under English law ‘failure to prevent’ type offences relating to bribery and tax evasion. How the policies and procedures are embedded in an organisation is critical to making them effective. At a time of budget constraints, eg on legal and compliance for many businesses, we still expect to see continued scrutiny by authorities on “tone from the top” and the “tone from the middle”.

How you should respond - How an organisation responds to issues that arise is seen as one of the litmus tests for the culture of an organisation. The implementation of the EU Whistleblower directive across many EU Member States highlights the importance of companies having fit‑for‑purpose whistleblowing programmes. The identification of incidents through a proper compliance and whistleblower programme, a prompt and objective investigation, and appropriate and timely remediation not only limits damage for the company but may also be viewed positively by the authorities if the conduct comes to their attention.

Expect increasing global geopolitical tensions to ensnare more companies. The dynamics of geopolitics and national security concerns mean that businesses can increasingly end up as pawns, often being stuck between conflicting requirements that require delicate navigation. For example:   

• The war in Ukraine has led to a surge in sanctions measures relating to Russia, which apply to businesses in all sectors.
• China’s data laws add substantial complexity to the cross-border transfer of documents and evidence for investigations, particularly in the context of requests from foreign government authorities, and also for internal investigations.

How you should respond - Companies will need to consider the commercial, legal and enforcement context in order to adopt a sensible path through these national security‑driven and often conflicting requirements. Make sure that the reasons for internal decisions are properly documented. Where appropriate, maintain an open dialogue with the authorities if the company is unable to comply with a request or order due to conflicting requirements. It can sometimes be possible to negotiate a path forward that avoids direct conflict. 

The unauthorised use of unmonitored personal devices and encrypted communication applications is widespread, and poses significant enforcement risk, particularly to those in regulated sectors. It also impairs the ability of internal investigators to access and uncover facts quickly should an allegation of misconduct arise. The U.S. Department of Justice is expected to issue new guidance in 2023 in this area for all companies, not just those that operate in highly regulated sectors.

How you should respond - GCs and Heads of Risk must ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication programme. Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. A common practice is developing to retain pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions and test your policies and employment agreements.

Investigate how technology can help to quickly and effectively review data to pinpoint key communications during an investigation. Using technology to do the heavy lifting at the document review stage often saves costs in the longer term and narrows the scope of manual review needed.

Expect more pushback when claiming legal privilege. This is not new for 2023, but it remains a challenge in many investigations. There is often a tension between an authority’s expectations of cooperation, and rules on legal professional privilege.

How you should respond - In-house counsel are advised to continue to consider carefully how to manage issues of privilege and cooperation, perhaps adopting a tiered approach with “crown jewel” privilege claims (for example, communications with external lawyers) and other privilege claims which it may be less uncomfortable about waiving (for example, notes of interviews with some employees). Any decision to waive privilege must be informed by a strategy to minimise the wider impact of any waiver as well as an analysis of the possible use that an authority may make of the material, including possible onward transmission by the authority to a third party. Additionally, take care to consider privilege laws in the different countries in which you operate and minimise the likelihood of inadvertent waiver by engaging in best practices when conducting internal investigations, for example.

Expect cybersecurity to remain a priority. Risk has increased due to the Russian invasion of Ukraine and the post-pandemic economic environment. Key threats include:

• malicious cyber actors targeting internet-facing systems, such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities
• a 300%^[1] increase in ransomware attacks since 2019, with the most common entry points being Remote Desktop Protocols (RDP) ports as well as unpatched software, hardware or VPNs
• denial of services attacks.

Cybersecurity remains a favourite on many authorities’ compliance and enforcement agendas.

How you should respond - Invest in strong defences and experienced personnel while implementing robust processes and procedures so that a business stands ready to react to, respond to and remediate any incidents that occur in a timely fashion and in a manner that considers stakeholder concerns, reporting obligations, and any potential liability. Board engagement is vital, so it should receive regular reporting on cyber risks. Read our blog on considerations for boards.

¹_{UK FCA Cyber Coordination Group Insights published 8 December 2022.}

When the outcome of an employee misconduct investigation goes against an individual, or a regulator is a stakeholder, the spotlight can turn onto the investigator. Were they independent? Was there a conflict or perceived conflict? Did the investigator have the necessary skill-set to understand the nuances of a particular allegation? Was there institutional bias? What experience did the investigator have in running hybrid, multi‑disciplinary or multi-jurisdictional investigations? Did the investigator have the necessary time and resources to dedicate to the process? If there are shortcomings in any of these areas, it can lead to the need for a second, independent, external investigation, adding delay and cost. 

How you should respond - This can be avoided if time and thought are invested at the outset, when triaging and ‘scoping out’ investigations, to identify those cases that are, whether optically or practically, more appropriate to be outsourced. For example, if the investigation involves a senior executive with a high profile, outsourcing may help avoid questions of independence. Another example is where the investigation involves serious allegations of sexual or racial harassment and it is felt that the available investigators do not have the appropriate skill‑set for the investigation. The key point is that these factors need to be taken into account at the outset. 

In-house counsel can face tough decisions on whether and how to self-report and/or cooperate with authorities. Some authorities have a much more active enforcement record than others. The benefits and drawbacks of cooperation vary by jurisdiction. There have been substantial discounts on fines for companies that have not self-reported but pleaded guilty before conviction, thus avoiding a trial.

How you should respond - A decision to cooperate must take into account the time and cost of doing so, and the potential reputational and financial upside, including a potential discount on a fine. This should be compared with what might happen if the business takes a more passive stance.

Our lawyers have strength and depth in many geographical areas and are used to helping our clients navigate all these issues to reach effective and practical solutions. If you would like to discuss any of the issues arising in this publication with our team, please contact amy.edwards@allenovery.com. 

There were high levels of regulatory and enforcement activity in Australia in 2022. The regulatory landscape has continued to experience significant shifts as the economy encounters greater inflation, geo‑political tensions, increasing environmental concerns and a growing number of cybersecurity threats. The Australian Securities and Investments Commission (ASIC), Australia’s financial services regulator, departed from its much-publicised and controversial “why not litigate” approach in favour of an approach that prioritises promoting Australia’s economic recovery from the pandemic and the inflationary pressures that are currently being experienced.

With the victory of the Anthony Albanese-led Labor Party over the conservative incumbent government led by now former Prime Minister Scott Morrison in the May 2022 federal election, a steady stream of new legislation has started making its way through federal parliament. Several of these bills will impact white collar crime and investigations, with more reform to come, including in relation to data protection, money laundering and terrorism financing, and corruption.

At the end of 2022, a bill was passed providing for the creation of a National Anti-Corruption Commission, likely mid-way through 2023. It is likely to result in high-profile investigations in the years ahead.

Regulatory and criminal enforcement in Belgium remains robust, with a significant uptick in the investigation and prosecution of corruption, environmental pollution, social fraud and human trafficking. Authorities are in particular focusing on the chemical, construction and transportation sectors.

We expect this trend to continue and intensify in light of: (i) increased regulation such as the development of a Business and Human Rights framework and the expected introduction of ecocide as a self-standing criminal offence under the new Belgian Criminal Code; (ii) compliance, in the broadest sense of the word, becoming a focal point for businesses in any sector; and (iii) increased whistleblowing disclosures, driven by the very recent transposition of the EU Whistleblowing Directive into Belgian national law.

Financial crime remains high on the cross-border enforcement agenda, and will only gain in importance due to the rapidly increasing caseload of the European Public Prosecutors Office (EPPO), increased enforcement activities by financial market regulators and antitrust authorities and recent calls for EU Member States to enforce the myriad of sanctions imposed in response to Russia’s invasion of Ukraine.

China’s data laws have added substantial complexity to the cross-border transfer of documents and evidence for investigations, particularly in the context of requests from foreign government authorities, and for internal investigations. This will impact how a company can respond to direct requests from non-Chinese authorities in any investigation concerning China-based conduct. Data enforcement activity is also increasing rapidly, and it has been confirmed that foreign-registered entities are captured squarely by the PRC data regime, if processing activities under their direction are carried out in China.

A dip in ABAC enforcement activity against companies in 2022, due to competing governmental priorities (notably Covid), is expected to be temporary, with the government regularly restating its commitment to combat both active and passive bribery.

China’s approach to the regulation of non-fungible of tokens (NFTs) is evolving, and it is expected that regulation will include ensuring that NFTs are not commoditised, in line with China’s approach to cryptocurrencies.

France remains a key player in white collar enforcement in Europe. As with previous years, the fight against money laundering, tax evasion and corrupt practices remains an enforcement priority, in particular for the National Financial Prosecutor’s Office (PNF). Corporate responsibility for human rights violations has also been a major enforcement and investigations theme this year with the Cour de Cassation (the French Supreme Court) and the Paris Court of Appeal upholding unprecedented indictments against corporates for aiding and abetting war crimes and crimes against humanity. There has also been an ever‑growing number of French‑style Deferred Prosecution Agreements (Convention Judiciaire d’Intérêt Public (CJIP)).

Prosecution authorities, as well as criminal courts, continue to investigate the cum/ex complex, which has led to further indictments and convictions in 2022. A significant number of banks and audit firms have been raided in connection with these investigations. We expect to see more in 2023.

The criminal trial against the former CEO of Wirecard and other former senior Wirecard managers regarding allegations of fraud, balance sheet manipulation and other offences commenced before the Munich Regional Court in December 2022. The criminal trial regarding the Wirecard case will likely continue throughout 2023.

The Supply Chain Due Diligence Act came into force on 1 January 2023, and we anticipate the first regulatory enquiries into compliance with the new law. The German legislature is expected to pass the Whistleblower Protection Act early in 2023, meaning that the new law would come into force towards the end of Q1/2023.

The new Head of Enforcement for the Securities and Futures Commission (SFC) may in due course herald a change in regulatory direction and enforcement policy in Hong Kong. Whether or not that occurs, the SFC continues to drive change to better regulate the financial markets. A new consultation proposes changes that would permit the SFC to apply for remedial and other court orders on the basis of disciplinary action rather than breach of certain laws, while the SFC continues to advocate for, and seek to expand its regulatory oversight of, the cryptocurrency sector. Meanwhile, proposed legislative reforms address weaknesses in existing cybersecurity laws and strengthen sanctions.

The past year has seen a vast increase in attention paid to sanctions legislation due to the ongoing war in Ukraine. Investigations into non-compliance with Anti-Money Laundering regulations also remain a high priority for Dutch enforcement authorities. In addition, the Dutch Public Prosecution Service (DPPS) continues to focus on the prosecution of individuals, in cases where a legal entity enters a settlement with the DPPS. We expect increased scrutiny of tax integrity, cybercrime and business responsibility for human rights in 2023.

The risk of the Financial Action Task Force (FATF) greylisting looms large over recent South African reforms, as do the ongoing consequences of “state capture”. The four-year-long Judicial Commission of Enquiry into Allegations of State Capture, Corruption and Fraud in the Public Sector including Organs of State (Zondo Commission) has submitted its final report to the President. The Presidency, Parliament, law enforcement and regulators have shifted to pursuing criminal prosecutions and administrative penalties against offenders, recovering funds and considering necessary legislative and institutional reforms. High‑profile arrests and settlement agreements relating to state capture and asset‑freezing related to corporate accounting and reporting fraud have dominated the latter part of 2022. We anticipate that 2023 is likely to see similar arrests, extensive litigation and a raft of legislative reform focused on preventing money-laundering and regulating public procurement. State capture investigations have prompted increasing cooperation between law enforcement and regulatory agencies which has extended to using relatively powerful anti-money laundering (AML), tax evasion and exchange control remedies to combat corporate fraud as well as environmental and cyber-crimes.

2022 was another busy year for the UAE as it sought to further develop its regulatory framework. The UAE continued with significant regulatory development and expansion, including in the areas of anti-money laundering/counter-terrorist financing compliance, whistleblowing, data protection and virtual assets. These developments continue to have implications for both the UAE’s onshore jurisdiction and its offshore jurisdictions, including the Dubai International Financial Centre (the DIFC) and the Abu Dhabi Global Market (ADGM).

We expect to see the UAE authorities place a greater focus on monitoring and enforcing compliance with new and existing regimes in the year ahead. Businesses should therefore take prompt and proactive steps to ensure they are compliant with all regimes applicable to them so that monitoring and enforcement risks on the horizon can be appropriately managed and mitigated.

The Russian invasion of Ukraine hastened legislative reform aimed at stemming the flow of ‘dirty money’ in the UK and aiding the enforcement of financial sanctions. Not so hasty is a new ‘failure to prevent’ economic crime offence, which is still not on the statute books. Supporters of reform will have been pleased with the UK Law Commission’s July 2022 report which stated that there is now a ‘consensus’ on the need for reform of English law on corporate criminal liability, but less pleased that the government has still not decided which, if any, of the Commission’s various options for reform to adopt. 

The FCA had a busy year in 2022, announcing a number of significant enforcements concerning market misconduct and financial crime, including decisions concerning firms’ failure to prevent bribery and corruption. Meanwhile, the SFO was very publicly criticised for multiple disclosure failings which led to high‑profile acquittals of individuals in large fraud and corruption cases. It was not all bad news for the SFO though, with its largest fine levied against a mining and commodities company for bribery. A new head of the SFO will be appointed in 2023.

The cost‑of‑living crisis, stretched compliance resources, and stressed supply chains are an ideal breeding ground for misconduct. Companies should double down on fostering a culture of compliance, and not turn a blind eye to the increasing use by employees of unauthorised encrypted messaging platforms for doing business. 

With the implementation of new laws and polices focusing extensively on corporate compliance, companies will have to participate in a more careful consideration of their regulatory obligations. Pivotal to this consideration will be companies’ ability to effectively spot issues and address potential compliance failures through internal investigations and effective compliance programming. This enhanced focus on corporate compliance is evidenced by the Biden Administration’s commitment to increased enforcement efforts both in civil and criminal enforcement. The U.S. Department of Justice (DOJ), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC), among other regulatory agencies, have all shown signs of a more zealous enforcement approach, implementing new policies, expanding corporate disclosure requirements, and allocating more resources to enforcement departments. Crypto-assets, insider trading, sanctions, and record‑keeping are all prominent areas of focus.