Many significant developments took place in 2023 across the landscape of corporate crime, and we can expect to see more in 2024. In particular, we expect three areas to come under increased scrutiny: sanctions, deferred prosecution agreements (“DPA”) and commercial corporate liability.
As the war in Ukraine enters its third year, we expect that sanctions will continue to spearhead the international political and legal agenda with enforcement likely to ramp up, assisted by expanding resources, new disclosure requirements and improved international cooperation. An increase in activity can also be expected in relation to DPAs, with the end of 2023 seeing the Crown Prosecution Service (“CPS”) concluding its first DPA. With 2024 also marking the 10th anniversary of the legislation introducing DPAs, we expect to see an increase in companies monitoring and updating their financial crime compliance procedures, in response to the CPS’s newfound recognition of the agreements.
Finally, the end of 2023 saw the Economic Crime and Corporate Transparency Act (the “ECCTA”) come into force, a significant and welcome step in corporate criminal liability which we expect will drive further constructive change in compliance behaviour and corporate self-regulation. We expect the new offence of failure to prevent fraud to result in many companies augmenting or adjusting their compliance systems, as they look to avoid potential legal action. And the expansion of corporate criminal liability to include the acts of “senior managers” – a term that is sure to be litigated – will lead to much action in and out of court.
The legal landscape has shifted, and both companies and individuals need to make sure they’re prepared for what lies ahead in 2024 and beyond. Here, we lay out what you can expect.
We expect that sanctions, particularly those relating to Russia, will remain at the forefront of the international political and legal agenda. In response to Russia’s invasion of Ukraine in 2022, the UK has so far designated 1950 persons (1681 individuals and 269 entities) for the purpose of an asset freeze.1 These include many of the wealthiest Russian individuals and largest Russian companies, with business and other ties around the world, making dealing with Russian sanctions by many measures more complex than any previous set of sanctions.
Russian sanctions are highly unlikely to become any less restrictive in the near term, as Western governments have been unanimous in their view that the sanctions must remain in place at their current level (if not strengthened) until such time as a durable peace agreement is reached in Ukraine.
Many significant developments took place in 2023, and more are expected in 2024.
While it is understood that the pace of investigation into breaches of sanctions is increasing, which may bear fruit in 2024, 2023 shows only a small increase in enforcement in the UK. In 2023, the Office of Financial Sanctions Implementation (“OFSI”) issued nine fines, with three exceeding £50,000, and seven warning letters in response to breaches that did not warrant public enforcement action.2 This is an increase from eight fines, with two exceeding £45,000, in 2022,3 but remains less than expected, given the significant broadening of sanctions.
In 2022-2023, OFSI recorded 473 suspected breaches of financial sanctions (excluding oil price cap and counter-terrorism breaches). This is a significant increase on the 147 suspected breaches recorded in 2021-2022. This increase was expected given the scale of increased Russia sanctions, and OFSI’s increased enforcement capabilities.4
OFSI has been granted significant new powers over the years, and in 2023, it used its disclosure powers for the first time to publish details of a breach on its website. The disclosure powers are to be used for breaches that are moderately severe: too serious for a simple administrative warning but not serious enough to warrant a civil monetary penalty.5 The first target of the powers was Wise Payments Limited (“Wise”), which had breached regulation 12 of The Russia (Sanctions) EU Exit Regulations 2019 (the “Russia Regulations”), as reported by OFSI on 31 August 2023.6 A cash withdrawal of £250 was made from a business account with Wise held by a company owned or controlled by a designated person under the Russia Regulations. In permitting the withdrawal, Wise breached the prohibition on making funds available to a company owned or controlled by a designated person. Despite the low breach value, OFSI considered Wise’s systems and controls, specifically its policy surrounding debit card payments, to be inappropriate. Mitigating factors included Wise’s voluntary disclosure, lack of deliberate sanctions evasions and remedial actions undertaken by Wise. OFSI is expected to continue to use its disclosure powers in cases of similar gravity.
The distinctive nature of the targets of the Russian sanctions, many of whom own property and/or reside in the UK, has made the question of licensing more important than ever before, since licences may be needed to employ locals and pay UK vendors. Decisions were taken on 503 cases, up from 170 in the previous reporting period; 164 licences were granted in relation to the Russian sanctions regime. OFSI issued 21 general licenses in connection with the Russian sanctions regime.
In 2023, for the first time, OFSI’s refusal to grant a licence in the requested terms led to a judicial review hearing, which was ultimately unsuccessful. On 26 October 2023, the Court heard a judicial review application made against OFSI by Mikhail Fridman, a designated person, under section 38(2) of the Sanctions and Anti-Money Laundering Act 2018 (“SAMLA”).7 After designation, Mr Fridman, who owns a large property in London was granted licences to cover many payments, including utility bills, insurance premiums, legal fees and certain domestic staff payments. But he was refused licences for some requested household staff payments, as well as payments for internal phonelines and audio and TV equipment.8
Fridman challenged the refusal by way of judicial review, arguing that OFSI should have granted him licences because his requests met the basic needs derogation, routine holding and maintenance derogation and prior obligation derogation. But the High Court upheld every single refusal by OFSI. For the staff, while OFSI had the statutory power to grant the licence, the High Court ruled that it had acted rationally in refusing to allow the payment of drivers, a housekeeper and personal chefs, including because a purpose of the sanctions regime was to prevent designated persons from continuing the lifestyle they had enjoyed before being sanctioned.9 OFSI had also acted reasonably in not considering the phonelines and equipment to be a basic need.
The case showed that OFSI will grant licences for what are truly basic needs, but it retains broad powers to refuse licences for anything that falls outside those boundaries.
Legal and Trust Services Prohibition
In line with the EU, the UK has continued to restrict the general provision of services where it is considered useful to support the aim of sanctions.
In December 2022, the UK issued new prohibitions limiting designated persons and persons connected with Russia from accessing trust services provided by UK persons. Pre-existing trust services can still be provided to persons connected with Russia (Russian citizens based in Russia, Russian companies etc), but no new services can be provided; designated persons (of whom there are more than 1,820 so far) cannot be provided with any trust services.10
On 30 June 2023, the UK banned UK persons from providing legal advisory services to non-UK persons where the services related to activities that would be prohibited under the sanctions regime if those activities were performed by a UK person or took place in the UK.11 This ban includes: (a) the interpretation of law, (b) acting on behalf of a client or providing advice on or in connection with a commercial transaction, negotiation or any other dealing with a third party and (c) the preparation, execution or verification of legal documents.12 Contentious matters were not caught by the ban, and nor was advice as to the effect of UK sanctions. After an outcry by the legal community, a general licence was issued allowing the provision of advice relating to any sanctions regime and any criminal law, in either case imposed by any jurisdiction.13
Challenges to sanctions designations
2023 saw further challenges to sanctions designations, both in the UK and EU. Some of the highest-profile involved Roman Abramovich.
Eugene Shvidler, a UK-US dual citizen, was designated on the basis of his association with Mr Abramovich, including because he had a been a director at Evraz plc, a Russian steel company part-owned by Mr Abramovich. Mr Shvidler claimed the designation was discriminatory and irrational, including because he no longer worked at Evraz. The High Court upheld the designation as it considered that it was reasonable to suspect that Mr Shvidler obtained a benefit from Mr Abramovich through his remuneration by companies controlled by Mr Abramovich,14 and that his designation had a rational connection with the objective of encouraging the Russian government to cease or limit its actions in Ukraine.15
Mr Abramovich’s own challenge to his designation by the EU was rejected by the EU’s General Court on 20 December 2023. The court ruled that he was designated as a major shareholder of Evraz, which operates in economic sectors that provide a substantial source of income for the Government of the Russian Federation, and the designation was likewise rationally linked to the objective to exert pressure on the Russian government to end the war in Ukraine.16
What is Control?
In 2023, the English courts addressed the question of “control” under the Russia sanctions – but left nobody much the wiser.
Under the Russia Regulations, a non-designated person is subject to many of the same restrictions as a designated person if it is owned or controlled by a designated person. In Mints v NBT  EWCA Civ 1132, the Court of Appeal in obiter considered the parameters of control. Regulation 7 provides that control exists if it “is reasonable, having regard to all the circumstances, to expect that P [the designated person] would (if P chose to) be able, in most cases or in significant respects, by whatever means and whether directly or indirectly, to achieve the result that affairs of C [the company] are conducted in accordance with P’s wishes.”17 The Court of Appeal observed that this condition was described in wide terms and did not contain any limit as to the means and mechanism by which a designated person could achieve the result of control. Therefore, it considered the provisions covered all entities in respect of which a designated person “calls the shots”. As a result, the Court of Appeal acknowledged, this meant that Vladimir Putin could be deemed to control all companies in Russia. If that result was absurd, the Court of Appeal stated, it was for Parliament to clarify the legislation.
OFSI and the Foreign, Commonwealth and Development Office leapt into action and issued guidance notes on control. They stated an intention not to read the provision as widely as all that, and provided some examples of what they thought control might amount to, but did not provide much further assistance beyond the language of the statute.18
Shortly afterwards, the High Court in Litasco SA v Der Mond Oil and Gas Africa SA, Locafrique Holding Sa  EWHC 2866 (Comm) considered that there was an important substantive difference between “would” and “could”, and that the prohibition applied where a designated person had an existing influence, and not merely to a state of affairs which a designated person was in a position to bring about.19 Even so, Foxton J still allowed: “I would be prepared to assume that it is strongly arguable that President Putin has the means of placing all of Litasco and/or its assets under his de facto control, should he decide to do so.”
The true meaning of control therefore remains uncertain, and we expect most companies will read it as broadly as they can to ensure they avoid enforcement action, until such time as Parliament takes up the Court of Appeal’s invitation to fix the problem.
We expect that there will be plenty more sanctions-related activity in 2024.
Enforcement, which was relatively light in 2023, should ramp up, assisted by:
1. Expanding resources: OFSI has recruited around 100 new full-time staff this year in order to deliver more effective implementation and enforcement of sanctions. It has increased resourcing in its enforcement team by 175%, its licensing team by 160% and its engagement team by 120%.20 It is hoped this will also reduce the backlog in licence applications, many of which wait many months before being determined.
2. New disclosure requirements: A reporting obligation will be introduced requiring the disclosure of foreign reserves of the Central Bank of Russia, National Wealth Fund of Russia and Ministry of Finance of Russia.21
3. Improved international cooperation: Personnel of OFSI and the US Office of Foreign Assets Control (“OFAC”) met regularly in 2023 to discuss cross-jurisdictional issues. OFSI and OFAC issued their first joint fact sheet to provide further clarity on the UK and US’s Russia-related humanitarian authorisations.22 OFSI also engages closely with the EU, the G7, Crown Dependencies and Overseas Territories.23
4. Office of Trade Sanctions Implementation: On 11 December 2023, the government announced the establishment of a new unit, the Office of Trade Sanctions Implementation (“OTSI”), within the Department for Business and Trade. OTSI’s aim is to monitor compliance with trade sanctions and to assess suspected breaches. It also has the power to impose monetary penalties for breaches of trade sanctions and to refer cases to law enforcement agencies for investigation and potential prosecution.
Deferred Prosecution Agreements
DPAs in the UK will have their 10th anniversary in February 2024.24 These agreements allow a prosecutor to suspend prosecution of an organisation that has committed a specified crime, provided the organisation meets certain specified conditions and the Court determines that the DPA is in the interests of justice.25
Until late in 2023, the only prosecuting agency to enter into a DPA was the Serious Fraud Office (“SFO”). But in December 2023, the CPS agreed its first ever DPA – which turned out to be the second-largest DPA ever agreed in the UK.
The counterparty was Entain Plc (“Entain”), a global online sports and gaming business headquartered in London, which is the owner of Ladbrokes and Coral bookmakers.
The DPA arose out of an HM Revenue & Customs (“HMRC”) investigation into Entain.26 In 2019, HMRC commenced investigations into Entain’s former Turkish subsidiary (sold two years earlier as part of Entain’s takeover of Ladbrokes) and its third-party suppliers relating to the processing of payments for online betting and gaming in Turkey. In July 2020, HMRC informed Entain that it was widening the scope of investigation to examine other potential offences.
In May 2023, Entain announced that it was in DPA negotiations with the CPS and was working towards achieving a resolution for the ongoing HMRC investigation.27
On 24 November 2023, Entain announced that it had reached an in-principle DPA with the CPS relating to the failure of the Company to have adequate procedures in place to prevent bribery. On 5 December 2023, the Court approved the DPA,28 which required Entain to pay £615 million, consisting of: (i) a fine of £465 million; (ii) a disgorgement of profits of £120 million; (iii) costs of £10 million; and (iv) a charitable donation of £20 million.
Entain and the CPA also agreed that Entain would (i) conduct its gambling operations only in regulated markets (and subject to the scrutiny of those authorities); (ii) review and, where necessary, enhance its compliance procedures; and (iii) engage PwC to conduct an external compliance review, the terms of reference for which would be agreed with the CPS and the product of which would be shared with the CPS.29
The Court judgment approving the DPA noted that Entain had provided significant co-operation to the investigation even though there was no self-reporting, there had been a wholesale change of senior management and approach, and Entain had acknowledged that it was necessary to overhaul its culture and practices. Conversely, conviction would have disproportionate consequences: Entain would lose its licences to operate in other jurisdictions, putting at risk jobs and revenue, which would have a major effect on shareholders, pension fund holders and suppliers.
Apart from the significance of the first DPA entered into by the CPS – in a year when the SFO entered into none – it is also noteworthy that the DPA originated in a joint investigation by HMRC and CPS, showing the UK’s willingness to rely on its combined investigatory powers. This is also the second largest corporate criminal settlement in the UK, behind Airbus’s £880 million DPA in 2020. It remains to be seen whether the CPS will continue to be involved in large corruption cases, but it certainly shows that the CPS has real teeth as an enforcer of corporate crimes. This should serve as a reminder to companies to monitor and update their financial crime compliance procedures.
Corporate Criminal Liability
On 26 December 2023, the expansion of the ambit of economic crimes committed by senior managers came into force pursuant to the ECCTA. A second provision under the ECCTA creating a new failure to prevent fraud offence is also due to come into force in 2024, as soon as the Secretary of State has issued relevant guidance.
While this legislation is apparently, according to the government, not expected to lead to a material rise in prosecutions, it is a significant and welcome step which we anticipate will drive further positive change in compliance behaviour and corporate self-regulation.
Expansion of Corporate Criminal Liability
Under the ECCTA, if a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority commits an offence from a list of economic crimes, as defined by the legislation, the organisation is also guilty of the offence.30 Breaking this down:
1. Senior manager: A “senior manager” is an individual who plays a “significant role” in (a) the making of decisions about how the “whole or a substantial part” of the activities of the body corporate or partnership are to be managed or organised; or (b) the “actual managing or organising” of the whole or a substantial part of those activities.31
2. Jurisdiction: A “body corporate” is defined to include a body incorporated outside the United Kingdom.32 Where no act or omission forming part of the relevant offence took place in the United Kingdom, the organisation may still be guilty of an offence if it would be guilty of the relevant offence had it carried out the relevant acts in the location where they actually took place.33 In other words, if the relevant acts were committed abroad, and would have been a crime there as well as in the UK, the body corporate may be found guilty in the UK.
3. Economic crimes: The list of economic crimes is set out in Schedule 12. This includes many crimes of fraud, tax evasion, money laundering, theft, terrorist financing, bribery and misleading the market. The Secretary of State has the power to add or remove offences.34
As we launch into 2024, we can expect that the definition of “senior manager”, and when a senior manager’s acts should be imputed to their companies, will be subject to debate, since what constitutes a “significant role”, what is “the whole or a substantial part” of a company’s activities, and when a person is acting within “the actual or apparent scope of their authority”, are inherently subject to interpretation. There is very little case law in the area and the Courts may continue to consider that the requirement of certainty in the criminal law requires a narrow interpretation. Either way, the offence will not capture crime committed on behalf of companies by middle managers or lower-ranking employees.
Failure to Prevent Fraud
The new offence of failure to prevent fraud provides that a “large organisation” is guilty of an offence if a person who is associated with the organisation commits a fraud offence intending to benefit (whether directly or indirectly) the organisation or any person to whom the associate provides services on behalf of the organisation (or to a subsidiary of that person), unless the organisation can show it had “reasonable” procedures to prevent fraud.35
Subsidiaries of large organisations can also be guilty of this offence (although the size test is slightly different, where a subsidiary is involved).36
Taking the key limbs in turn:
1. Large organisation: Significantly, and unlike its predecessor failure to prevent offences, this offence was limited, over the objections of the House of Lords, to large organisations only. Those are defined as businesses meeting at least two of the following three criteria:
i. Turnover of more than £36 million;
ii. Balance sheet total of more than £18 million; and/or
iii. More than 250 employees.37
2. Associated persons: Employees, agents and subsidiaries are associated persons, as is any other person who performs services for or on behalf of the relevant body. A company can therefore be criminally liable for the acts not only of its employees but also of third parties, including consultants, lawyers, accountants and so forth.
3. Fraud offence: means one of the set of offences listed in Schedule 13, which includes false accounting, cheating the public revenue and fraud, as well as aiding, abetting, counselling or procuring the commission of such an offence. The list is smaller than the corresponding list for economic crimes, described above.
4. Defences: There are two defences available to companies.
i. Uniquely to this offence, it is a defence if the organisation itself was, or was intended to be, a victim of the fraud offence.38
ii. In line with the predecessor failure to prevent offences under the Bribery Act 2010 and Criminal Finances Act 2017, it is a defence for the organisation to prove that it had in place such prevention procedures as were reasonable in the circumstances, or it was not reasonable in the circumstances to expect the organisation to have prevention procedures at all.39
5. Guidance: The Secretary of State is required to publish guidance about reasonable procedures (the “Guidance”).40 This may be instructive as to how much companies are supposed to do. The previous guidance on adequate procedures to prevent bribery, issued by the Ministry of Justice in 2011, is recognised to be a well-written document that is of some use to companies. It is more difficult to assess its effect on prosecutions, since there remains no clarity from either prosecutors or the courts as to what constitutes adequate procedures.
6. DPAs: The offence is susceptible to deferred prosecution agreements.41
There has been some criticism regarding the exclusion for smaller companies, since fraud can be conducted in and through those companies as well (and they were not carved out from the failure to prevent bribery offence under the Bribery Act). The carve-out is not really complete, though. First, the Act cleverly ensured that small companies that are subsidiaries of large companies will be caught, so there is no incentive for large companies to artificially restructure themselves. Second, small companies will often be the “associated persons” of large companies, for which the large companies will be criminally liable. So the large companies may be expected to demand that the smaller companies that do work for them take measures to enhance their own compliance.
The major question now for 2024 will be how much companies will need to augment or adjust the compliance systems they have built up to prevent bribery and sanctions over the past 15 years, in order to meet the requirements of the failure to prevent fraud offence.
2024 looks set to be a busy year in the corporate crime world, with both companies and individuals expected to come under increased scrutiny. With further developments on the horizon, companies and individuals need to be prepared and ensure they meet the everchanging legal requirements.
8 He was also refused a licence to pay his property’s management company, as it was considered to be owned by a designated person.
14 Eugene Shvidler (the Claimant) v Secretary of State for Foreign, Commonwealth and Development Affairs  EWHC 2121 (Admin), at -
15 Eugene Shvidler (the Claimant) v Secretary of State for Foreign, Commonwealth and Development Affairs  EWHC 2121 (Admin), at  –
19 Litasco SA v Der Mond Oil and Gas Africa SA, Locafrique Holding Sa  EWHC 2866 (Comm), at -
24 They were introduced on 24 February 2014, under the provisions of Schedule 17 of the Crime and Courts Act 2013.
30 ECCTA, s.196.
31 Id., s.196(4).
33 Id., s.196(3).
34 Id., s.197(1).
35 Id., s.199(1)..
36 Id., s.199(2).
37 Id., s.201(1). As noted, the test is slightly different where the alleged offender is the subsidiary of a large undertaking.
38 Id., s.199(3).
39 Id., s.199(4).
40 Id., s.204(1).
41 Id., s.206(3).