Cross-Border White Collar Crime and Investigations Review
A summary of the key legislative and enforcement developments in cross-border white collar crime.
Investigations and financial crime lawyers at large multinational companies faced a plethora of financial crime and investigations developments over the past 12 months.
More countries are introducing or amending financial crime laws, new types of businesses are being brought into the scope of existing laws, and there are increased expectations on corporate behaviour from a wider range of stakeholders. In-house counsel need to be nimble footed to help organisations adapt to new expectations, and mitigate the impact of issues that arise.
The Allen & Overy Cross-Border White Collar Crime and Investigations Review analyses the latest developments, and highlights the most significant current and emerging issues that white collar crime and investigations in-house counsel should prioritise in 2022.
Looking ahead - managing key challenges this year
- Understand evolving expectations on corporate accountability
- Don’t take your eye off intermediaries
- Old and new financial gatekeepers must keep up to date with AML compliance
- Consider the risk of corporate criminal exposure
- Ensure corporate culture supports effective compliance
- Navigate conflicting laws driven by national security and geopolitics
- Don’t underestimate the expanding global enforcement web
- Looking after your data
- Understand the risk/benefit analysis on 'cooperation'
- Be alive to the pinch points on privilege
Understand evolving expectations on corporate accountability
Expect increased scrutiny of corporate behaviour - Higher standards and expectations on corporate accountability have manifested in different ways across the globe. However, the direction of travel is firmly towards increased scrutiny of corporate behaviour regarding the environment, people working in, and impacted by, all parts of a company’s value chain (including third party suppliers) and employees. In some countries (France, Germany, Belgium) there are new corporate vigilance obligations either in force or proposed. In addition, pressure is being exerted by a broader range of stakeholders. Activist shareholders, employees and others are using both litigation and reputational levers to hold companies to account for environmental harms and human rights violations.
How you should respond - Prevention is better than cure so companies should check that compliance and whistleblowing procedures are working as intended. If misconduct is suspected, any internal investigation should be carefully structured to take into account the very real risk of follow-on civil or criminal litigation and regulatory action.
Don’t take your eye off intermediaries
The use of intermediaries remains a high corruption risk – Like many previous years, the enforcement authorities took action in 2021 on corrupt payments made to third parties including those concealed as, for example, consultancy fees, sponsorship or charitable donations. Post-pandemic pressure on supply chains means that some companies may be keen to enter business arrangements with new partners, quickly. The U.S. Biden administration views corruption as a core national security interest, and its new anti-corruption strategy promises to ‘surge resources’ for corporate FCPA enforcement.
How you should respond - Companies must ensure that their policies and procedures around the use of such business partners are properly implemented, and reviewed on a regular basis to reflect the business as it evolves. Ensure that commercial pressures are not trumping adequate due diligence.
Old and new financial gatekeepers must keep up to date with AML compliance
Expect tougher anti-money laundering and counter-terrorist financing laws - Every jurisdiction surveyed this year is bolstering anti-money laundering and counter-terrorist financing laws, many following the recommendations from the Financial Action Task Force. The traditional financial gatekeepers such as banks are prime targets for enhanced regulation and tougher laws. But a broader range of gatekeepers are increasingly being bought into the frame with regulations being expanded to catch virtual asset service providers and fintechs. Whilst automation and AI can do some of the heavy lifting on AML compliance, enforcement shows that performance of AI will only be as good as (1) the data it relies on, and (2) the quality of the human decision making at the point when the system raises a red flag. We expect to see continued close scrutiny and rigorous enforcement in this area, particularly around weak systems and controls.
How you should respond - All types of business, not just those in finance, should identify money laundering risks and implement controls, with appropriate senior management oversight, to mitigate them. Compliance functions must be adequately resourced. Staff should be sufficiently experienced and feel empowered to independently question decisions taken by others.
Consider the risk of corporate criminal exposure
Expect law reform on corporate criminal liability - Proposed and actual legislative reform in several jurisdictions is aimed at making it easier to convict large companies of a criminal offence. Some jurisdictions have adopted, or are considering adopting (e.g. Australia), the UK Bribery Act 2010 s7 model of ‘failure to prevent’ bribery. There is pressure on the UK government for this type of offence to apply to a broader category of financial crimes.
How you should respond - Any analysis of corporate exposure following allegations of misconduct should factor in the jurisdictions involved, and the risk of corporate (and individual) liability. Companies should reduce their financial crime risk, and maximise their chance of successfully mounting an ‘adequate procedures’ defence, where applicable, by implementing an effective compliance programme. Companies which formulated their policies some years ago should review relevant guidance, update policies, provide regular training to staff and ensure that both senior and middle management set the right tone in their behaviour and communications. This is particularly so given the move to more remote working. Data analytics offer insights to drive compliance programmes and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively enough to inform the design, implementation and effectiveness of compliance programmes.
Ensure corporate culture supports effective compliance
Expect more scrutiny of how corporate culture and compliance interact - Recent bribery enforcement suggests that just having policies and procedures in place, even if externally certified, will not necessarily be adequate either to prevent financial crime in an organisation or to provide an 'adequate procedures' defence for a company faced with prosecution under 'failure to prevent' type offences. How the policies and procedures are embedded in an organisation is critical to making them effective. Large global companies with sophisticated ABAC policies and procedures have fallen foul of bribery laws where the culture at the company has permitted bribery to take place. We expect to see continued scrutiny by authorities on 'tone from the top' and the tone from within (i.e. middle management).
How you should respond - How an organisation responds to issues that arise is seen as one of the litmus tests for the culture of an organisation. The implementation of the EU Whistleblower directive across many EU Member States highlights the importance of companies having fit for purpose whistleblowing programmes. The identification of incidents through a proper compliance and whistleblower programme, a prompt and objective investigation, and appropriate remediation not only limits damage for the company but may be viewed positively by the authorities.
Navigate conflicting laws driven by national security and geopolitics
Expect increasing global geopolitical tensions to ensnare more companies - The dynamics of geopolitics and national security concerns means that businesses can increasingly end up as pawns, often being stuck between conflicting requirements that require delicate navigation.
New data and national security laws in China need to be carefully considered during any investigation which has a Chinese nexus. The U.S. government has explicitly said that fighting corruption is now a U.S. national security priority – meaning more FCPA enforcement. There are new sanctions aimed at overseas corruption and human rights abuses (e.g in the US, EU and UK). And counter-measures/blocking rules (eg. in China and the EU) are aimed at limiting the impact of some sanctions.
How you should respond - Companies will need to consider the commercial, legal and enforcement context in order to adopt a sensible path through these national security driven and often conflicting requirements.
Don’t underestimate the expanding global enforcement web
Expect greater international collaboration and information sharing among enforcement agencies - Despite the geopolitics, there is undoubtedly more collaboration between some jurisdictions either informally or formally. A June 2021 White House memo states that working with international partners on anti-bribery enforcement is a priority. The new European Prosecutors Office started work in 2021 and is already involved in investigations. More countries are entering into bilateral cooperation agreements in the fight against financial crime.
How you should respond - Any investigation that has touch points in more than one jurisdiction will likely involve the authorities talking behind the scenes at the investigation, charging and settlement stages. This should impact a company’s strategic decisions, particularly around interactions with authorities during an investigation.
Looking after your data
Expect more attention from regulators and enforcement agencies as they double down on data protection and cybersecurity failures - More jurisdictions are introducing data protection laws or national security laws which apply to a company which needs to move or use data during an internal or external investigation (e.g. Hong Kong, China, South Africa).
How you should respond – Understand the legal and enforcement context that applies to any use or movement of company records, documents or any other data during an investigation. There is no substitute here for being attuned to the attitudes of the authorities involved, and knowing the options when navigating a path which deals with data privacy and other legal concerns whilst at the same time enabling a company to investigate allegations of misconduct or meet requests from foreign regulators.
Expect enforcement agencies to want to see evidence stored abroad: Criminal authorities are keen to have the ability to access data held abroad relating to a company under investigation. There have been law reforms or proposed law reforms in the US, UK, EU, South Africa and Australia all aimed at making it easier for authorities there to obtain data directly from foreign third party communication service providers. There have been legal challenges (for example in the UK, Australia, Belgium) over authorities’ ability to access data or compel production of documents abroad.
How you should respond - Lawyers involved with external investigations need to understand the proper remit of authorities’ powers to order or seek disclosure of data held abroad (e.g. by a holding company or by a third party communications service provider). This insight should inform a workable, risk-reducing approach to disclosure as well as capitalise on cooperation credit if a company decides to provide documents that go beyond what an authority is legally entitled to compel.
Expect cybersecurity to remain a priority - Companies face hefty fines, and cybersecurity remains a favourite on many authorities’ compliance and enforcement agendas. U.S. SEC Chairman Gary Gensler has prioritised cybersecurity, including cyber-hygiene and incident reporting. In Australia, ASIC has brought its first court action against a company for failing to have adequate cybersecurity systems in place. The pandemic provided a breeding ground for cyber criminals to infiltrate organisations on a scale not seen before, with ransomware the malware of choice for many seeking to cause maximum disruption to businesses during already challenging times.
How you should respond: The most effective way to address the threat of these attacks is to invest in strong defences and experienced personnel whilst implementing robust processes and procedures so that a business stands ready to react, respond and remediate any incidents that occur. Read more on our cybersecurity series: “Infiltrate, extort, repeat”.
Understand the risk/benefit analysis on 'cooperation'
Expect to have to weigh up the pros and cons of cooperation - Many developed regimes encourage a company under investigation to cooperate with the authorities in order to obtain 'credit' which can, in turn, mean a greater chance of avoiding a corporate conviction and help to secure a discounted fine.
How you should respond - Corporate appetite for cooperation will depend on the perceived benefits. Consider whether penalty discounts are sufficiently differentiated from a company that is convicted following a guilty plea or does not initially self-report. The degree of cooperation that a company will want to engage in should be informed by an understanding of the advantages and disadvantages, its approach in other jurisdictions, and also an analysis of the risk of corporate criminal liability, which varies by jurisdiction and, as above, is another evolving area of law.
Be alive to the pinch points on privilege
Expect more pushback when claiming legal privilege – This has been a challenge for some years. There is often a tension between an authority's expectations of cooperation, and rules on legal professional privilege. Some authorities are hardening their stance on privilege, eg by demanding either third-party certification of privilege claims or exercising or demanding more power to determine the applicability of legal privilege in particular cases.
How you should respond - In-house counsel are advised to continue to consider carefully how to manage issues of privilege and cooperation, perhaps adopting a tiered approach with “crown jewel” privilege claims (for example communications with external lawyers) and other privilege claims which it may be less uncomfortable about waiving (for example, notes of interviews with some employees). Any decision to waive privilege must be informed by a strategy to minimise the wider impact of any waiver as well as an analysis of the possible use that an authority may make of the material, including possible onward transmission by the authority to a third party.
Our lawyers have a vast amount of strength and depth in many geographical areas and are used to helping our clients navigate all these issues to reach effective and practical solutions. If you would like to discuss any of the issues arising in this publication with our team, please contact email@example.com.
2021 saw another year of high levels of regulatory activity in Australia. The regulatory landscape has continued to experience significant shifts against the backdrop of the COVID-19 pandemic’s impact on Australia’s economic and political spheres. ASIC, the financial services regulator, has departed from its much-publicised and controversial “why not litigate” approach in favour of an approach that prioritises promoting Australia’s economic recovery. Parliament has enacted legislation in a wide range of areas impacting on white collar crime and investigations, with more reform on the horizon, including in relation to money laundering and terrorism financing, foreign bribery, and corruption. However, legislative priorities may shift in the lead-up to, and aftermath of, Australia’s next federal election, which must be held by May 2022. The first enforcement action against a company for cybersecurity failings is almost certainly a sign of more to come.
In 2021, criminal enforcement in Belgium was robust, focussing on various crimes, such as complex fraud and money laundering involving financial intermediaries, corruption, cybercrime, and environmental pollution. The Belgian legislator continues to develop a Business and Human Rights framework that will serve as an additional tool to sanction breaches of fundamental rights. Private companies are increasingly sensitive to criminal law risks, including in the field of M&A, where compliance in the broad sense of the word has become a focal point. Looking forward to 2022, we expect these trends to continue and intensify. The implementation of the EU Whistleblowing Directive will result in increased disclosures, fuelling new investigations and criminal prosecution. Finally, also under EU influence, the operationalisation of the European Public Prosecutors Office will elevate financial crime on the enforcement agenda, strengthen cross-border enforcement, and favour contentious litigation over out-of-court settlements.
New data protection and data security laws in Mainland China add considerably to the complexity of conducting cross-border investigations with a nexus to Mainland China, and meeting information requests from foreign regulators. A new ‘anti-sanctions’ regime is aimed at counteracting foreign sanctions and trade controls, and multinational companies doing business in Mainland China are expected to follow. The ABAC regime continues to develop with a greater focus on enforcement against private company offerors of bribes. The real estate and construction industry has been the primary focus of criminal actions in 2021, and the life sciences industry remains the primary focus of administrative penalties. Looking ahead to 2022 we can expect to see more enforcement actions in these areas.
France remains a hub for white collar crime enforcement. Spearheaded by the National Financial Prosecutor’s Office (PNF), the white collar criminal enforcement landscape continues to move towards greater collaboration with overseas enforcement authorities, corporate settlements, and heavy fines. The fight against money laundering, tax evasion and corrupt practices remains at the forefront of enforcement action, alongside a rising number of investigations in the area of Environmental and Social Governance (ESG). Several bills have been presented by MPs to the French Parliament over recent months, relating in particular to the fight against corrupt practices, the internal investigation process and the protection of whistleblowers. Depending on how they progress through the French Parliament, they may give rise to new obligations for corporates with a French nexus in 2022.
2021 yielded many developments in the field of white collar crime enforcement and investigations in Germany. In July, the German Federal Court of Justice (Bundesgerichtshof) ruled that obtaining a refund of unlevied withholding tax in connection with a cum/ex trade constitutes the criminal offence of tax evasion. Against this backdrop, criminal enforcement against participants in these trades continued unabated, with several dawn-raids being conducted and new bills of indictment being issued. Criminal proceedings into cum/ex trading are now directed against more than 1000 suspects, including C-level executives of international banks.
In addition, the German legislator enacted a Supply Chain Due Diligence Act, which will come into force on 1 January 2023. The German lawmaker also expanded the scope of the criminal offence of money laundering with effect from 18 March 2021. The Corporate Sanctions Act, which was supposed to introduce more severe corporate fines and new rules for conducting internal investigations, was not passed. The previous German federal government also failed to enact the Whistleblower Protection Act, even though EU member states were obliged to transpose the underlying EU directive into national law by 17 December 2021. The new German federal government has announced that it will readopt these unfinished legal initiatives.
Hong Kong SAR, China
Personal data laws were amended in Hong Kong in 2021, meaning that businesses will need to be particularly careful about the expanded investigation and enforcement powers of the Privacy Commissioner for Personal Data (Privacy Commissioner). Despite Covid-19, financial regulatory enforcement actions have regained momentum. The Securities and Futures Commission (SFC) continues to focus on “high-impact” cases against financial institutions, listed companies and senior executives, with a targeted approach to enforcement. The Hong Kong Exchanges and Clearing Limited’s (HKEX) enforcement agenda and power, along with the Financial Reporting Council’s (FRC) enforcement actions, have become more advanced and proactive. Various local regulators have increased their level of collaboration to combat corporate fraud, misconduct, and malpractices in the financial market.
The Covid-19 pandemic has resulted in fewer criminal enforcements in the Netherlands. Nevertheless, corruption and other types of economic and financial crime remain high priorities for the Dutch enforcement authorities. The Dutch regulators and the Dutch Public Prosecution Service (the DPPS) continue to pay close attention to supervised gatekeepers of the financial system for non-compliance with Anti-Money Laundering (AML) regulations and sanctions law. In cases where a legal entity enters into a settlement with the DPPS, there seems to be an increased focus on the prosecution of individuals. In the criminal tax field, in 2022 we expect more attention to be given to matters where the integrity of the financial sector is under scrutiny, such as dividend stripping. Cybercrime is high on the enforcement agenda. We also expect more cases that will relate to business responsibility for human rights. A follow-up to the legislative processes surrounding a draft bill related to judicial review of high-value settlements with the DPPS is expected.
South Africa’s white collar crime framework continues to develop in the wake of a series of “state capture” enquiries by the Special Investigating Unit (SIU) and National Prosecuting Authority (NPA). Together with former President Zuma’s longstanding corruption trial relating to arms procurement in the late 1990s and activism on corporate accountability and environmental issues, this has led to clarifications regarding key issues in the investigation and prosecution of white collar crime. While South African courts have been particularly active in the past year, Parliament, National Treasury and regulators such as the South African Revenue Service (SARS) and Financial Intelligence Centre (FIC) have taken steps to consolidate and amend South Africa’s regulatory framework to enhance corporate transparency and improve personal data and crypto asset regulation – developments likely to unfold in the next year. Major cross-border investigations to watch include the cum/ex banking scandal while poaching continues to be a key focus of cross-border law-enforcement.
United Arab Emirates
2021 has seen the UAE implement a raft of measures to enhance its AML and CTF capabilities, including making key amendments to AML legislation, the issuance of new joint agency guidance on AML and CTF compliance and the establishment of a new federal AML/CTF agency and a money laundering specialist court in Dubai. These actions have implications for both the UAE’s onshore jurisdiction and its key offshore jurisdictions including the Dubai International Financial Centre (the DIFC) and the Abu Dhabi Global Market (the ADGM).
These developments place a key focus on expanding the scope of the UAE’s AML/CTF regime and increasing the monitoring of high-risk sectors for financial crime (including emerging areas of the financial services industry such as virtual assets).
Enhancing coordination and cooperation both across jurisdictions and between agencies has also been a priority.
There have also been developments which have aimed to enhance the UAE’s anti-bribery and corruption compliance credentials, make whistleblowing protections clearer and make corruption and compliance reporting easier.
The pace of regulatory change and development (in particular in the area of combatting financial crime) is likely to continue and so it remains of crucial importance for businesses to have robust systems and controls in place to understand, adapt to and ensure ongoing compliance with the quickly changing and increasingly complex regulatory environment in the UAE.
Money laundering was firmly in the sights of the UK authorities in 2021 and will remain so in 2022. The FCA managed to secure a guilty plea and a large fine from a bank in its first prosecution of a bank under the UK Money Laundering Regulations and the UK’s entire CTF/AML regime is currently under review. The AML supervision of cryptoassets will likely evolve in 2022 as it is considered a high risk area.
New criminal offences relating to defined benefit pension schemes were introduced, but the consultation on corporate criminal liability more generally is still ongoing, with a report expected from the Law Commission in early 2022. Big Tech companies are under pressure to reduce online harms, with new criminal offences possibly being introduced in 2022 via the Online Safety Bill.
The Serious Fraud Office is likely to be focussing on frauds on the public purse committed during the pandemic. It will also be trying to regain its enforcement momentum after some difficult (for the SFO) court decisions that curtailed its ability to obtain documents held abroad and criticised the SFO’s lack of disclosure in some high profile cases. 2021 saw the number of new SFO corporate criminal investigations fall to the lowest number (four) in over a decade.
Investigations into ESG related issues are becoming much more common, as investors and employees seek to exert pressure on companies to improve treatment of workers in supply chains and reduce environmental impact.
The Biden Administration, including the President himself, has signaled an intent aggressively to ratchet up enforcement efforts on many fronts, spanning both the criminal and civil contexts. The U.S. Department of Justice (DOJ), Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Federal Trade Commission (FTC), among other regulatory agencies, have all shown signs of a more zealous enforcement approach, which marks a sea change in the regulatory landscape compared to that of the prior administration. The shift toward an aggressive regulatory environment includes the deployment of more proactive investigative methods, a greater focus on prior misconduct, increasingly stringent corporate resolutions, and broader theories of corporate liability. These changes have undeniable implications for companies in all sectors, such as: (1) the need for robust compliance programs that incorporate strong prophylactic controls and remediate misconduct appropriately; and (2) the increasing importance of expert legal advice in navigating the heightened expectations of regulators and understanding the regulatory risks companies face in conducting their operations.
Download the Cross-Border White Collar Crime and Investigations Review
The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.