Full report: Cross-border white collar crime and investigations review 2024

Our analysis of the most significant financial crime and investigations developments over the past 12 months provides a revealing picture of the increasingly complex and challenging regulatory and enforcement landscape facing businesses around the world. 

More countries are introducing or amending financial crime laws, new types of businesses are being brought into the scope of existing laws, and there are increased expectations on corporate behavior from a wider range of stakeholders.

In response, in-house counsels need to help their businesses adapt to new expectations, and to mitigate the impact of the risks that arise.

This year’s review is divided into two complementary sections:

Challenges and priorities for 2024 – we highlight current and emerging challenges for in-house investigations teams and white-collar crime lawyers and share our thoughts on how to manage the associated risks.

Country-by-country analysis – we review key developments in selected jurisdictions during 2023.

What to prioritize in 2024

Increased scrutiny of internal investigations

The conduct of internal investigations is coming under more scrutiny by enforcement authorities, employees and other stakeholders.

• Conduct of internal investigations - there is a growing body of rules and expectations about how such investigations should be conducted so that the basis of the investigation is transparent (is it independent?), fair (in relation to the treatment of interviewees or the skills of those investigating) and robust (e.g. the collection and review of data). For example, in France a new joint guide on anti-corruption internal investigations contains ‘best practices’ for conducting an internal investigation. The Disciplinary Court of the Dutch Bar Association has ruled on specific requirements for when a lawyer is carrying out an ‘independent’ investigation, e.g. on the independence of the investigator and their interactions with parties involved. Similar calls are being voiced in other jurisdictions. In China there are rules which affect how data/evidence can be collected for an internal investigation. Law reforms in the UK mean that internal interviews of senior managers need to be handled even more carefully.
• Privilege and confidentiality of documents - there have been challenges in many jurisdictions concerning whether privilege attaches to documents created during an internal investigation, and a recent legislative attempt to extend legal professional privilege to in- house lawyers’ legal advice in France has failed. A failure to adhere to these rules or expectations risks legal and/or reputational consequences.

How to respond: Be sensitive to the expectations of authorities (which may become involved only at a later stage) when conducting an internal investigation. The rules are evolving, so seek up-to- date advice. It will often be easier to design the internal investigation to factor those expectations in at the outset, rather than reverse-engineer it afterwards. Take local law advice when investigations concern operations or individuals based overseas. There may be special rules, e.g. about the treatment of interviewees, how data can be collected, or how the investigation can be structured to take advantage of available privileges.

The new ‘senior manager’ test for corporate attribution in the UK means, that before conducting an interview during an internal investigation, consider whether the individual meets the new ‘senior manager’ test. If so, that person’s conduct can be attributed to the company in respect of economic crimes. Consider how to structure the interview to get considered and reliable evidence rather than a knee-jerk reaction. Achieving that may be easier if the individual receives independent legal advice. 

Enhanced whistleblowing laws

The implementation of the EU Whistleblowing Directive in many Member States during 2023 has accelerated the need for businesses to ensure that their whistleblowing reporting lines and policies conform to the new rules. There is an expanded category of workers who can make a whistleblower report (now including interns, temporary workers and new recruits who have not started work), and new rules on where/how reporters can make a report, how the report is triaged, and protections for the whistleblower. Individuals can claim damages for retaliation and there is a reversed burden of proof on the issue of causation between reporting and retaliation.

How to respond: Implementing the new rules will no doubt give greater confidence for whistleblowers to come forward in those jurisdictions, so businesses should expect more internal investigations to be conducted. They should therefore be ready to receive and triage these reports, train those who may be involved, and ensure that any resulting internal investigation is carried out in accordance with applicable laws and expectations.

Video: what is the impact of the EU Whistleblowing Directive for businesses? 

Employees and workers in the value chain

Businesses continue to face legal and reputational risk arising from how those who work for them directly, or for businesses in their value chain, are treated. In Australia modern slavery laws are being strengthened, and a new anti-slavery commissioner is being appointed. The French Civil Court ordered a French company to improve its compliance program following the use of undocumented workers by subcontractors. In many countries there is a growing prevalence of workplace investigations in response to allegations of misconduct, sexual harassment, discrimination, bullying or retaliation. Non-governmental organizations (NGOs) and other activists are trying novel ways of using existing laws to tackle modern slavery issues, e.g. money laundering law has been used in the UK to try to force the authorities to take action over cotton imported from regions where modern slavery is alleged to be a risk.

Businesses face increasing pressures and obligations globally in respect of supply chain due diligence and modern slavery disclosures which result from new and proposed legislation in jurisdictions such as Belgium, France, Germany, the U.S. and the Netherlands. The European Parliament and the EU Council said on December 14, 2023 that they have reached a provisional agreement on a corporate sustainability due diligence directive that aims to introduce rules for companies to protect human rights and the environment. Businesses therefore cannot afford to consider the enforcement risks in only one jurisdiction.

How to respond: Businesses should already be considering supply chain issues and taking steps to address risks such as modern slavery. Careful thought will need to be given to how these types of investigations are structured, bearing in mind the chance of follow-on civil or regulatory action. These issues often intersect with others in relation to environmental concerns or corruption, particularly where third parties are involved. Take an integrated (not siloed) approach to managing ESG issues across a business’ third-party ecosystem.

Corruption risk and third parties/intermediaries

Use of third parties/intermediaries remains a high corruption risk. Almost all FCPA and other corruption cases involve the use of third parties or intermediaries to make corrupt payments to win work or obtain confidential data. In 2023, Enforcement authorities took action on corrupt payments to third parties, including those concealed as, e.g. consultancy fees, sponsorship or charitable donations. Australia is implementing reforms to its foreign bribery regime. The U.S. Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs has been updated and has an increased focus on managing third-party relationships. Looking further ahead, the EU Commission is proposing a new directive on combatting corruption which will contain harmonized definitions of criminal offenses and increased criminal sanctions.

How to respond: Policies and procedures around the use of such business partners must be properly implemented and reviewed on a regular basis. Ensure that commercial pressures are not trumping adequate due diligence. Compliance and finance functions need to be properly resourced with staff who have the right level of experience, seniority, and clear accountability. Not only will these measures help prevent misconduct, they will also be a mitigating factor should there be any enforcement action.

Data analytics offer insights to drive compliance programs, and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively to: (i) monitor third parties, using real-time data, throughout the lifecycle of the business relationship; (ii) save time and costs; and (iii) inform the design, implementation and effectiveness of compliance programs. If using an external data company, evaluate the parameters/limits of what they offer, e.g. how are they defining a state-owned entity or politically exposed person?

Financial services firms should consult the new Wolfsberg Guidance published in 2023.

Environment-related financial crime risk

Authorities are under pressure to clamp down on crime associated with the environment and climate change. Money laundering is being used as a proxy offense for environmental crimes, e.g. a criminal complaint was filed by several NGOs against four major French banks accused of laundering the proceeds of illegal deforestation in Brazil.

There is enforcement action relating to greenwashing. While most is now of a regulatory nature, a knowingly dishonest representation about green credentials could trigger criminal liability for fraud, including for a business. There is likely to be pressure to use criminal enforcement in serious cases.

There are bribery and corruption risks associated with the race to growth and investment in ‘Net-Zero’ related projects such as carbon offsetting and renewable power projects, many of which involve dealing with overseas public officials to win contracts or manage local community issues. 

How to respond: A holistic approach to the ‘E’ in ESG requires the bringing together of expertise from a mixture of compliance skillsets (anti-bribery and corruption, anti-money laundering, tax). Businesses should monitor legal and regulatory obligations globally and map them to existing policies and processes, e.g. third-party risk management, contracting/procurement, M&A, and financial and regulatory reporting. Conduct a risk and control assessment. If there are gaps, create a prioritized plan to plug them.

Tax evasion and public procurement fraud

Governments in many jurisdictions are keen to recoup losses from tax evasion. A new UK corporate criminal offense of ‘failure to prevent fraud’ catches cheating the public revenue. France has introduced a new criminal offense relating to the facilitation of tax fraud, intensified scrutiny of the banking sector, and collaborated with German authorities in conducting dawn raids on major French banks. The Dutch tax and criminal authorities announced their focus on combatting dividend stripping, and publicly invited market participants to come forward with information on these practices. Germany has been actively enforcing corporate tax evasion enforcement, and this is expected to continue in 2024. The European Public Prosecutor has also been very active, with a specific mandate to tackle fraud on the EU. Its most recent Annual Report reveals that it had conducted 1,117 active investigations by the end of 2022, of which 47% were related to VAT fraud.

Public procurement fraud is also costly for the public purse. The UK’s new ‘failure to prevent fraud’ offense is capable of being deployed to prosecute a UK or non-UK company that has defrauded the UK Government in a public procurement context. The UK Public Sector Fraud Authority, formed after the pandemic, has a specific remit to tackle public sector fraud. There are specific new procurement-related offenses, e.g. in South Africa, Italy and Poland, aimed at ensuring transparency and reducing corruption and other interference with procurement processes. 

How to respond:Businesses that contract with public authorities should ensure that those representing the business receive financial crime compliance training. The only defense in the UK to a ‘failure to prevent fraud’ offense, which can bite on UK and non-UK companies, is having reasonable procedures in place to prevent fraud. Businesses should conduct a risk assessment on where the risk of fraud lies in their organizations and implement fraud controls if they have not already done so. This may also be a good time to review whether the business still has ‘reasonable prevention procedures’ in place in relation to the UK’s ‘failure to prevent the facilitation of tax evasion’ offense, introduced in 2017. It is possible that a clamp-down on tax evasion in some jurisdictions may cast the spotlight on those that facilitated it. 

AML compliance for financial gatekeepers 

Expect tougher anti-money laundering and counter-terrorist financing laws. A broader range of gatekeepers are increasingly being bought into the anti-money laundering/counter-terrorist financing framework, with regulations being expanded in many jurisdictions to catch virtual asset service providers and fintechs. While automation and AI can do some of the heavy lifting on AML compliance, enforcement shows that performance of AI will only be as good as (1) the data it relies on, and (2) the quality of the human decision making at the point when the system raises a red flag. We expect to see continued scrutiny and rigorous enforcement in this area, particularly around weak systems and controls. The focus on this area is illustrated by the plan to create an EU-wide authority to fight money laundering. 

How to respond: All types of business, not just those in finance, should identify money laundering risks and implement controls, with appropriate senior management oversight, to mitigate them. Compliance functions must be adequately resourced. Staff should be sufficiently experienced and feel empowered to independently question decisions taken by others.

Lower bar for corporate criminal exposure 

The goal of legislative reform in several jurisdictions is to make it easier to convict large companies of criminal offenses. In the UK there is a new ‘failure to prevent fraud’ offense for businesses, and changes to the UK identification doctrine mean the conduct of ‘senior managers’ in respect of economic crimes (and soon all crimes) can now be attributed to their employers. 

How to respond: Any analysis of corporate exposure following allegations of misconduct should factor in the jurisdictions involved, and the risk of corporate (and individual) liability. Care should be taken during internal interviews of senior individuals so as not to elicit inaccurate evidence on knowledge/intent. 

Businesses should reduce their financial crime risk and maximize their chance of successfully mounting an ‘adequate procedures’ defense, where applicable, by implementing an effective compliance program. Businesses that formulated their policies some years ago should review relevant guidance, update policies, provide regular training to staff, and ensure that senior and middle management set the right tone in their behavior and communications. This is particularly important given the widespread adoption of hybrid working in some sectors. Data analytics offer insights to drive compliance programs and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively to inform the design, implementation and effectiveness of compliance programs.

Corporate culture and effective compliance

Expect more scrutiny of how corporate culture and compliance interact. Authorities want to understand an organization’s culture and how it ensures that its employees understand and comply with the rules. The design and effectiveness of a compliance program will be scrutinized. Large global companies with sophisticated policies and procedures have fallen foul of financial crime laws where the culture of the organization tolerates misconduct. We expect to see continued scrutiny by authorities on ‘tone from the top’ and the tone from within (i.e. middle management). The U.S. DOJ has made announcements concerning how organizations police the use of personal devices and ephemeral messaging. Executive compensation and incentives (and particularly clawback) are also a focus. These issues are also very topical in the UK given the removal of the bankers’ bonus cap. 

How to respond: How an organization responds to issues that arise is seen as a litmus test for the effectiveness and resilience of its culture. The continued implementation of the EU Whistleblowing Directive across many EU Member States highlights the importance of whistleblowing programs that are fit for purpose. 

Chief Compliance Officers and other senior leaders with compliance responsibilities will want to keep fully up to date with evolving expectations of regulators, especially given that they are an enforcement focus for the SEC, and new DOJ certification requirements for post-enforcement compliance programs in the U.S.

Conflicting laws driven by geopolitics

Expect increasing global geopolitical tensions to ensnare more businesses. The dynamics of geopolitics and national security concerns mean that businesses can increasingly end up as pawns, often being stuck between conflicting requirements that necessitate delicate navigation.

The U.S. authorities are increasingly viewing traditional enforcement actions through a national security lens. The data and national security laws in China need to be carefully considered during any investigation which has a Chinese nexus. Many countries in Europe are tightening their sanctions frameworks and increasing sanctions enforcement, and the EU has successfully concluded negotiations for a new directive harmonizing criminal law standards and penalties for sanctions violations across the EU. 

How to respond: Businesses will need to consider the commercial, legal and enforcement context to adopt a sensible path through these national security-driven and often conflicting requirements.

Data – protecting yours (and others’)

Expect continued attention from regulators and enforcement agencies as they double down on data protection. More jurisdictions are introducing data protection laws or national security laws that apply to a business that needs to move or use data during an internal or external investigation. 

How to respond: Understand the legal and enforcement context that applies to any use or movement of company records, documents or any other data during an investigation. There is no substitute for being attuned to the attitudes of authorities and third parties involved, and knowing the options when navigating a path that deals with data privacy and other legal concerns while at the same time enabling the business to investigate allegations of misconduct or meet requests from foreign regulators. 

Expect enforcement agencies to want to see evidence stored abroad. Criminal authorities are keen to have the ability to access data held abroad relating to a business under investigation. There have been law reforms or proposed law reforms aimed at making it easier for authorities to obtain data directly from foreign third-party communication service providers. There have been legal challenges over authorities’ ability to access data or compel production of documents abroad. 

How to respond: Lawyers involved with external investigations need to understand the proper remit of authorities’ powers to order or seek disclosure of data held abroad (e.g. by a holding company or by a third-party communications service provider). This insight should inform a workable, risk-reducing approach to disclosure as well as capitalize on cooperation credit if a company decides to provide documents that go beyond what an authority is legally entitled to compel. 

Expect cybersecurity to remain a priority. Businesses face hefty fines, and cybersecurity remains a favourite on many authorities’ compliance and enforcement agendas. The pandemic provided a breeding ground for cyber criminals to infiltrate organizations on a scale not seen before, with ransomware as the malware of choice for many seeking to cause maximum disruption to businesses. 

How to respond: The most effective way to address the threat of these attacks is to invest in strong defenses, experienced personnel and implementing robust processes and procedures so that a business stands ready to react, respond and remediate any incidents that occur. 

The risk/benefit analysis on ‘cooperation’

Expect to have to weigh up the pros and cons of cooperation. Many developed regimes encourage a business under investigation to cooperate with the authorities to obtain ‘credit’ which can, in turn, mean a greater prospect of avoiding a corporate conviction and help to secure a discounted fine. In 2023 the U.S. introduced new incentives for businesses to disclose misconduct even where there are aggravating factors. The Hong Kong SFC has emphasized the importance of voluntary and prompt reporting. In France, March 2023 revised guidelines on internal corruption investigations to advise companies to inform the criminal authorities ‘as soon as possible’. 

How to respond: Sometimes businesses receive large discounts on fines for cooperation during an investigation, despite not having self-reported. There are many factors to consider when deciding whether to self-report, including the perceived benefits regarding a discount on fine, the options available to a prosecutor in any given jurisdiction, and whether the authorities are likely to find out anyway, e.g. from the extensive cross-border cooperation which is now the norm between many jurisdictions. Consider whether penalty discounts for self-reporting/cooperation are sufficiently differentiated from a business that is convicted following a guilty plea or does not initially self-report. The degree of cooperation that a business will want to engage in should be informed by an understanding of the advantages and disadvantages, its approach in other jurisdictions, and an analysis of the risk of corporate criminal liability, which varies by jurisdiction.

Unsanctioned communication channels

Unauthorized use of unmonitored personal devices and encrypted communication applications is widespread, and poses significant enforcement risk, particularly to those in regulated sectors. It also impairs the ability of internal investigators to access and uncover facts quickly should an allegation of misconduct arise. The U.S. DOJ has issued new guidance in this area for all businesses, not just those that operate in highly regulated sectors.

How to respond: General Counsel and Heads of Risk must ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication program. Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. A common practice is developing to retain pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions, as well as test your policies and employment agreements.

Investigate how technology can help to quickly search data to pinpoint key communications during an investigation. Using technology to do the heavy lifting at the document review stage often saves costs in the longer term and narrows the scope of manual review needed.

Our lawyers have a vast amount of strength and depth in many geographical areas and are used to helping our clients navigate all these issues to reach effective and practical solutions. If you would like to discuss any of the issues arising in this publication with our team, please contact amy.edwards@aoshearman.com. 

Country executive summaries