The DPA challenge - the SFOs first DPA-related conviction

What you need to know

In what has been a busy week for news about the Serious Fraud Office (SFO), it has finally secured its first conviction for an individual connected to conduct which is subject to a Deferred Prosecution Agreement (DPA), eight years after such agreements were first introduced in the UK. A DPA is a court-sanctioned agreement, available to the SFO and the Crown Prosecution Service as an alternative to prosecution, and under which prosecution is suspended for a defined period, provided that specified conditions are met. Conditions typically include a financial penalty, disgorgement of profits and compliance programme remediation. On expiry of the DPA, and subject to the company's compliance with its terms, the prosecutor will discontinue proceedings for the alleged offence. DPAs have been a popular option for companies keen to avoid prosecution and prepared to remediate their governance and compliance shortcomings.

The criminal conduct alleged in these latest DPAs was that bribes were paid to secure contracts for office refurbishment amounting to several million pounds. The offences included section 7 of the Bribery Act 2010, which imposes criminal liability on a company which fails to prevent bribery by a person acting on its behalf. The statutory defence to a section 7 offence is for the company to have in place adequate prevention procedures.

Since their introduction in 2014, the SFO has entered into 12 DPAs with corporates for fraud, false accounting and bribery but has been unable to prosecute, successfully, any of the individuals involved in the conduct. Instead, there has been a run of high-profile acquittals (such as in the case of Sarclad), a discontinuance of the prosecution (in the cases of Serco and G4S – announced today), or a decision not lay charges (such as in the case of Rolls Royce).

For the latest DPAs, reporting restrictions have been in place since 2021 (to protect those awaiting trial) and were lifted on 2 March 2023, disclosing that:

• UK companies, Bluu Solutions and a related business, Tetris Projects, entered into DPAs agreeing to pay a total of £2.5 million for offences of bribery;
• a project manager pleaded guilty to accepting bribes from Bluu Solutions in order to win office refurbishment contracts; and
• other individuals were acquitted, following a trial, in January 2023.

Why this matters to regulated firms and businesses operating in the UK

It is doubtful that this outcome alone will re-balance the public's loss of confidence in the prosecution agency's ability to take action against individuals responsible for the conduct which forms the basis of a DPA.  Nor is it clear that the SFO, soon to be under new leadership, will regain its appetite to try.  But this outcome demonstrates that such convictions are possible, and may go some way towards meeting concerns about corporates accepting culpability via a DPA, while the individuals accused of the conduct are not pursued successfully.

This case again pushes financial crime to the top of the enforcement agenda for corporates. It also touches on a number of themes familiar to those operating in the regulated sector:

• Risk of severe outcomes for individuals and firms involved in serious financial crime. DPAs are a core part of the armoury of UK law enforcement. The first DPA in 2015 was agreed with a financial institution and their continued use serves as a reminder to firms of the potential financial and reputational consequences where such risks crystallise in their businesses. Although the FCA does not have the power to agree a DPA, the regulator has a track record of working with other agencies to pursue its own enforcement outcomes. For example, following the DPA agreed between the SFO and Tesco in April 2017, the FCA used its powers under section 384 FSMA to require Tesco to pay compensation for alleged market abuse, arising from the underlying facts of the DPA.
• Individual accountability for financial crime. Whilst it could be said that the SFO struck lucky with a guilty plea in this case (the SFO's case was not challenged in a trial), it is a significant milestone which will embolden case teams to continue to pursue individuals. The risk is higher for senior individuals in the regulated sector, who face the additional threat of personal liability under the FCA's Senior Managers and Certification Regime.
• Money laundering remains a focus. The SFO pursued money laundering allegations in this case (the relevant defendant was acquitted) demonstrating the risk of prosecution for conduct which breaches the Proceeds of Crime Act 2002. The SFO has a specific division which investigates money laundering, highlighting AML as a key feature of the UK's financial crime enforcement landscape. For regulated firms, the criminal liability risk is heightened in light of their obligations under the Money Laundering Regulations 2017. As discussed in our recent briefing, the FCA has become increasingly proactive in its enforcement against failings related to AML systems and controls. This has resulted in a flurry of fines in the past 12 months, including two since the start of 2023.

Our three takeaways

1. Although clearly a success for the SFO, it is unclear if this will pave the way for others. The SFO's announcement today that it has dropped its prosecution of three former executives of G4S following a DPA agreed with the company in 2020 demonstrates the extent of the challenge here. Both cases highlight once again the tension between corporates entering into DPAs in relation to criminality, whilst senior managers said to be responsible for the misconduct are not convicted.
2. The SFO has had a number of notable successes with the DPA model and we expect it to remain the SFO's preferred enforcement tool. Furthermore, the proposed introduction of an offence of "failure to prevent fraud" is likely to lead to an increase in the number of DPAs.
3. Continued enforcement action relating to financial crime represents a material legal and regulatory risk to firms. Combined with the FCA's activity in this area, it is imperative that regulated firms have a robust approach to their financial crime risk assessments, the nature of the information they gather for financial crime purposes and their readiness to navigate enquiries from regulatory agencies.

Authors: Ruby Hamid, Adam Jamieson, Neil Donovan and Elliott Kenton