Skip to content

Global investigations and white collar defence briefing – January 2025

Bulletin
7 January 2025
22 MIN READ
5 AUTHORS

As we move forward into the new year, our Global Investigations and White Collar Defence team reflect on the latest news and provide a roundup of key developments. Looking ahead, the team explore the trends and challenges that are likely to shape the landscape in 2025, offering insights into what we can expect.

ECCTA Timeline

We have previously written about the Economic Crime and Corporate Transparency Act here.

In respect of the changes to Companies House powers, the government website is committed to ensuring that Companies House is able to issue financial penalties for any relevant offices under the new ECCTA and the Companies Act in Autumn 2024.1 Guidance on information sharing measures between firms has also been published, which is designed to support the existing anti-money laundering regime under Schedule 9 of the Proceeds of Crime Act 2022.2

In respect of the new ‘failure to prevent fraud’ corporate offence, the long-awaited Guidance was published on 6 November 2024. We cover the Guidance extensively in our article here. In short, and as we predicted, the Guidance mirrors that which accompanied the failure to prevent bribery corporate offence and the failure to prevent the facilitation of tax evasion offence, and it will be a defence for large organisations to show that they had reasonable prevention procedures in place to prevent fraud. The Guidance is principle-based, focusing on top-level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication, and monitoring and review.

TIP

With publication of the Guidance, this means that the failure to prevent fraud offence will come into force on 1 September 2025. Large organisations therefore have ten months to conduct a review of their existing procedures and ensure that their reasonable procedures are up to scratch.

Bribery and Corruption

In the UK, six former Glencore executives were charged in September 2024 in respect of allegations for conspiracy to make corrupt payments to government officials in Cameroon, Nigeria and the Ivory Coast between 2007-2014, following Glencore’s guilty plea and £276 million fine in relation to the same, paid to the Serious Fraud Office (‘SFO’). This promises to be a lengthy ordeal as the trial is not likely to take before mid-2027.

In late November 2024, the SFO simultaneously made the announcements that it was closing its investigation into Canadian jet manufacturer Bombardier (citing deferral to US and Canadian investigations) and launching a new joint investigation with France’s Parquet National Financier (PNF) into suspected bribery and corruption at multi-national aviation and defence group Thales. 

TIP

The SFO appear to be streamlining their case list and concentrating their efforts on international cooperation and prosecution of individuals. In 2025, we can expect to see more activity for the SFO, both in respect of ongoing matters and possibly more enforcement action in respect of new matters as well (such as through dawn raids, for example)

Commodities

In October 2024, a commodity trade Elliott Associates’ (‘Elliott’) appeal was dismissed in the UK Court of Appeal regarding its lawsuit against the London Metal Exchange (‘LME’) in relation to its suspension and cancellation of nickel trades on 8 March 2022. Elliot argued that the decision to cancel the nickel trades was unlawful and sought a judicial review action.

In the judgment, Males LJ stated that despite the background to this case was complex, this ultimately was a “straightforward case” and that the events of the “extreme price movement during a short period…. was a once in a generation event” and to allow the trades to stand “would have meant a real risk of a….’death spiral’ in the international metals market.”3 Elliot has said they are considering the ruling and any next steps.

TIP

The Court of Appeal ultimately held that the decision to cancel the trades was not pursuant to improper purposes to disadvantage Elliot (and the other appellants) but rather to avoid a loss of confidence in commodity markets as a whole, not just nickel futures. In times of instability therefore, it is not unheard of for exchanges to intervene in order to preserve market stability and instil market confidence.

Supply chains

In June 2024, a Court of Appeal decision held that the National Crime Agency (‘NCA’) was wrong not to investigate alleged offences under Part 7 of the Proceeds of Crime Act 2022 (‘POCA’), in relation to imports of cotton products to the UK from the Xinjian Uyghur Autonomous Region of China (‘XUAR’), in circumstances where the World Uyghur Congress allege that the products were a result of forced labour and or human rights abuses.4

It was held that the NCA were wrong to say that the ‘adequate consideration exemption’ anywhere in the supply chain (i.e. paying market price for goods imported into the UK) would be enough to remove the taint from the purchased goods.

TIP

It is clear that POCA can still apply in circumstances where there was constructive knowledge but no actual knowledge of criminal conduct (such as modern slavery, forced labour or human rights abuses).

It is clear therefore that the onus is growing on companies themselves to get their houses in order and conduct risk assessments on their global supply chains.

Audits

The General Election which took place in July 2024 brought in a new Labour government and with political changes come legislative changes. Among the new raft of legislative bills which are already under consideration, the Labour government plans to tackle audit reform through the new Draft Audit Reform and Corporate Governance Bill. We addressed audits in our bulletin in April 2024 and specifically, the transition from the Financial Reporting Council (‘FRC’) to the Audit, Reporting and Governance Authority (‘ARGA’).

The Bill promises to oversee the transition from the FRC to the ARGA, extend public interest entity (‘PIE’) status to include large private companies where they will be subject to additional audit requirements, introduce a new regime to protect against conflicts of interest, and remove unnecessary regulatory burden on small PIEs. If implemented effectively, this new Bill could prove to be instrumental in avoiding large scale corporate failures like Carillion we saw in 2023. 

TIP

For large private companies, it looks like they are looking down the barrel of increased audit scrutiny and requirements. It will pay off therefore to be proactive and upfront about potential issues which could affect the audit process, including any internal policies or procedures in relation to the same.  

Covid-19 Contracts

In September 2024, Transparency International (‘TI’) released their investigative report into the way the UK handled Covid-19 public procurement. Following analysis of over 5000 UK contracts, TI determined that 135 contracts were potentially corrupt as they were associated with three or more ‘red flags’. The report lists these 14 ‘red flags’ to look out for, categorised into 4 broad areas: risks in the procurement process, risks in the supplier profile, poor contract outcomes and cross-cutting risks.5  While the red flags themselves of course are not indicative of wrongdoing, they were used to identify contracts which were then subject to heightened scrutiny.

The key findings were: (i) 28 contracts went to those with political connections, (ii) 51 contracts went through a ‘VIP Lane’ which meant that contracts were awarded to politically connected suppliers or were referred to by politicians; (ii) 8 contracts went to new/ inexperienced suppliers; and (iv) £30.7 billion worth of COVID-19 contracts were awarded uncompetitively.

The TI report comes as part of the ongoing Covid-19 inquiry and makes 15 recommendations to protect against this in future and urged the authorities to look into these problematic contracts. In fact, TI has written to the National Audit Office, the Public Accounts Committee and the Chancellor with detailed findings, and Tom Hayhoe has been appointed as the Covid corruption commissioner to lead the enquiry.

TIP

Following the UK’s change in government, the Labour government has initiated the Covid inquiry to investigate PPE fraud claims during the pandemic under the previous government. It will be no surprise therefore to see follow up legal action in relation to these contracts in 2025, some of which resulted in billions of public money being written off due to potentially corrupt contracts.

UK Sanctions Enforcement: Challenges and Developments

State of Play

Despite the increasing scale and prioritisation of UK sanctions as a foreign policy and security tool over the past two years, instances of public enforcement of the Russia sanctions programme in the UK by the Office of Financial Sanctions Implementation (OFSI) have been notable by their absence.

In the nearly three years since Russia invaded Ukraine, OFSI has only taken two actions under the Russia sanctions programme: a publication notice that did not attract a fine; and a GBP 15,000 fine in respect of 26 payments made in breach of sanctions totalling GBP 15,000, and where the activity was ‘serious’, ‘harmed’ the objective of the sanctions regime, and other aggravating factors were present.[1] [2] This is in stark contrast to a recent GBP 29 million fine imposed by the Financial Conduct Authority (FCA) against Starling Bank for, amongst other things, deficiencies in its sanctions compliance systems and controls.[3] In particular, Starling Bank had been failing to screen customers against the full UK Consolidated List. As part of this review, ‘a number’ of potential breaches of UK sanctions by Starling Bank were also identified but OFSI has not yet taken any public action in relation to these potential breaches. This demonstrates that where there is appetite, it is possible for sanctions to be enforced in a timely and proportionate manner, but OFSI remains slow to react.

EU Member States are much more aligned with the proactive enforcement approach of the FCA in their enforcement of sanctions. Dutch and German authorities have both imposed custodial sentences for breaches of sanctions this year, and each of Luxembourg, Estonia, Lithuania, Poland and the Netherlands have imposed fines ranging from hundreds of thousands to millions of Euros.

The reason for the discrepancy between OFSI’s enforcement record, and that of other UK and EU regulators is not clear, particularly in circumstances where OFSI’s enforcement team headcount increased by 175% in 2023 and it had 172 cases under active investigation as of April 2023.[4]  That said, the US, which has historically been the best resourced and most aggressive international sanctions authority, has itself also only imposed two penalties under the current Russia sanctions framework, so it could simply be that the lag time for enforcement has not yet elapsed.

In light of this, it is likely that we will see a significant wave of enforcement action over the next 12 months. This is furthered by Freedom of Investigation requests made by the BBC which have revealed that OFSI currently has 37 live investigations into breaches of the Russian oil price cap alone.[5] 

Recent developments and the creation of OTSI

In line with this, it is apparent that the UK expects there to be greater enforcement going forwards. On 10 October 2024, the UK launched a new competent authority for certain trade sanctions, the Office of Trade Sanctions Implementation (OTSI). OTSI will have licensing responsibility in respect of a limited subset of trade sanctions, and will be able to impose civil monetary penalties for the majority of trade sanctions breaches as an alternative to the criminal penalties that will continue to be able to be imposed by HM Revenue & Customs (HMRC). HMRC is retaining sole competence for the enforcement of trade sanctions breaches that involve the movement of goods across the UK border, or which relate to military and dual-use goods.

The launch of OTSI represents a significant investment by the UK government in strengthening the trade sanctions enforcement regime. OTSI’s new monetary penalties powers will, in theory, make enforcement easier because they can be imposed on a strict liability basis (essentially discounting the complete defence of lack of knowledge or reasonable cause to suspect). Whether or not this will translate into further penalties, however, remains to be seen.

In the meantime, financial institutions and certain other regulated bodies will face an increased compliance burden. The strict liability provisions will mean that more robust due diligence will need to be performed, and failing to comply with new mandatory reporting obligations in respect of trade sanctions may also attract civil monetary penalties.

Impact on sanctions compliance

The recent changes to the UK sanctions enforcement framework mean that all affected persons should review both the legislation[6] and guidance[7] published thereafter, their sanctions compliance policies and procedures to ensure that they adequately address the additional risks created in respect of trade sanctions.

Those affected by the new reporting obligations should equally ensure that they have mechanisms to identify potential trade sanctions breaches and processes to ensure these are reported ‘as soon as practicable.’

The increased scrutiny being applied to trade sanctions breaches mean that serious consideration should be made to making voluntary disclosures in the event of identified breaches and mandatory reporting obligations mean that it is more likely that such matters will come to the attention of regulators. While there is not generally a ‘first mover’ advantage in the UK, it may be that opportunities to take advantage of discounts and arguments in mitigation for making voluntary disclosures might be lost. Periodic sampling of historic transactions can provide peace of mind.

A New Era for Data Protection in Hong Kong: Legislative Updates for a Digital Age?

As 2024 draws to a close, Hong Kong appears on the brink of significant legal reforms that could reshape the landscape of data privacy and cybersecurity. The government has proposed updates to the Personal Data (Privacy) Ordinance (the “PDPO”) and introduced groundbreaking legislation aimed at bolstering cybersecurity for critical infrastructure. This article outlines the: (1) key provisions; (2) implications for various stakeholders; and (3) broader context of data protection and cybersecurity in Hong Kong and the PRC.

Proposed enhancement of data privacy protection under the Personal Data (Privacy) Ordinance

The PDPO has been a cornerstone of data privacy in Hong Kong since its enactment. However, with the rapid evolution of technology and increasing incidents of data breaches, it has prompted the Office of the Privacy Commissioner for Personal Data (the “PCPD”) to advocate for enhancements to the existing framework. Key proposals include the introduction of[1]:

  1. Mandatory breach notifications to the PCPD and impacted individuals.
  2. Direct regulation of data processors under the PDPO.
  3. Clear personal data retention policies.
  4. Express and enhanced powers of the PCPD to impose administrative fines.

The proposals are to be welcomed and are important for maintaining Hong Kong’s status as a global financial hub, where data privacy and security are paramount for business operations and consumer confidence.

Implications for Stakeholders

The proposed amendments to the PDPO will have far-reaching implications for various stakeholders.

Organizations that handle personal data, including both large corporations and small businesses, will need to revise their compliance frameworks. This will involve conducting data audits to identify and classify personal data they process, as well as developing and implementing new data retention and breach notification policies to align with the updated legal requirements.

Individuals will benefit from enhanced rights regarding their personal data. With mandatory notifications for data breaches, they will have more control and awareness of how their data is handled. This increased transparency is expected to foster greater public trust in organizations’ data management practices.

Legal and compliance teams within organisations will face increased responsibilities to ensure adherence to an updated PDPO. This may involve implementing training programs for staff on new data protection obligations and drafting updated internal policies to reflect the new legal requirements. As the regulatory landscape evolves, legal experts will need to stay informed about emerging trends in data protection.

Hong Kong Privacy Commissioner publishes first comprehensive AI-specific guidance

On 11 June 2024, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” (the “Model Framework”)[2]. This is the PCPD’s first guidance document targeted at organisations procuring, implementing and using artificial intelligence (“AI”) systems in the context of their compliance with the PDPO. The Model Framework is addressed to organisations that procure AI solutions from third parties and process personal data in their operation or customisation of AI system. In particular, the Model Framework covers recommended measures in the following four areas:

  1. Establishing AI strategy and governance.
  2. Conducting risk assessment and human oversight.
  3. Customisation of AI models and the implementation and management of AI systems.
  4. Communication and engagement with stakeholders.

The Model Framework and the PDPO

The Model Framework serves as an extension of the PDPO, providing practical recommendations for organisations that operate within the framework of existing privacy law. While the PDPO establishes the legal obligations regarding personal data, the Model Framework offers detailed insights on how to interpret and implement these obligations in the context of AI technology. Where an AI Incident occurs as part of a data breach, the data breach incident response mechanism should be simultaneously engaged. This should also be considered in the context of the potential mandatory breach notification obligation included in the proposed PDPO amendments. If a data breach is involved in the AI incident, the AI incident response should include appropriate considerations for triggering a report and notification mechanism to internal stakeholders and external affected parties such as data subjects and regulatory authorities.

New cyber security legislation: “Protection of Critical Infrastructure (Computer System) Bill”

On 25 June 2024, Hong Kong’s first legislation on cybersecurity was proposed to enhance the protection of computer systems of critical infrastructures (“CIs”) and to regulate the cybersecurity obligations of critical infrastructure operators (“CIOs”). The “Protection of Critical Infrastructure (Computer System) Bill” (the “Proposed Legislation”) will be put before the Legislative Council before the end of 2024. The Proposed Legislation, once enacted, would likely be implemented in a staged approach, with full implementation by 2026.

The objectives of the Proposed Legislation are to strengthen the security of the computer systems of CIs, and minimise the chance of essential services being disrupted or compromised due to cyberattacks. 

The Proposed Legislation targets CIOs that are: (1) necessary for the continuous delivery of essential services in Hong Kong; and (2) those maintaining important societal and economic activities in Hong Kong. It will require those CIOs to fulfil baseline requirements set as statutory obligations, from which the CIOs can build up and enhance their capabilities for securing their computer systems with regard to their own needs and characteristics.

The key statutory obligations of CIOs set out in the Proposed Legislation can be categorised as: (1) organisational; (2) preventative; and (3) incident reporting/response.

Interplay between the proposed reforms

The proposed updates to the PDPO, the AI-specific guidance Model Framework, and the Protection of Critical Infrastructure Bill collectively create a cohesive framework for data protection and cybersecurity.

The mandatory breach notification requirement in the proposed PDPO updates aligns with the incident reporting obligations in the Protection of Critical Infrastructure Bill. Both frameworks emphasise the importance of timely communication in mitigating risks associated with data breaches or cyber incidents.

As the PDPO updates introduce direct regulation of data processors, the AI-specific guidance emphasises the need for accountability in data handling practices. Organisations using AI must ensure that their data processors comply with the same obligations, thereby enhancing overall data governance.

Both the AI-specific guidance and the Protection of Critical Infrastructure Bill emphasise the importance of risk assessments. Organisations must identify and mitigate risks associated with AI and cybersecurity threats. This alignment promotes a proactive approach to data protection, encouraging organisations to integrate risk management practices into their operational frameworks.

The proposed updates to the PDPO, the Model Framework, and the Proposed Legislation collectively represent a significant evolution in Hong Kong’s approach to data protection and cybersecurity. By integrating these frameworks, Hong Kong is positioning itself to address the challenges posed by AI and cyber threats effectively.

As organisations adapt to these regulatory changes, they must prioritise compliance and proactive data governance to safeguard personal data and maintain public trust. This holistic approach will be essential in navigating the complexities of the digital landscape while fostering innovation and protecting individual rights.

The Way forward: The future legal landscape of Hong Kong’s privacy and cybersecurity laws

The future legal landscape regarding Hong Kong’s privacy and cybersecurity laws is poised for significant transformation, driven by recent developments such as the proposed updates to the PDPO, the Model Framework, and the Proposed Legislation. These frameworks are designed to enhance data protection, accountability, and cybersecurity in an increasingly digital environment. The PDPO updates, with their emphasis on mandatory data breach notifications and direct regulation of data processors, align closely with the evolving expectations for data governance. Meanwhile, the Model Framework encourages responsible AI practices, reinforcing the importance of transparency and risk assessment. Concurrently, the Proposed Legislation highlights the critical need for robust cybersecurity measures for essential services. Together, these developments signal a move towards a more integrated and robust legal framework that fosters greater accountability and trust in the digital economy, positioning Hong Kong as a competitive hub for technology and finance.


[1] Security Bureau (2024) LC paper no. CB(2)930/2024(03), Legislative Council Panel on Security Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure . Available at: https://www.legco.gov.hk/yr2024/english/panels/se/papers/se20240702cb2-930-3-e.pdf 

[2] Privacy Commissioner’s Office Publishes “Artificial Intelligence: Model Personal Data Protection Framework” Privacy Commissioner’s Office Publishes “Artificial Intelligence: Model Personal Data Protection Framework” (pcpd.org.hk)

Footnotes

  1. Economic Crime and Corporate Transparency Act: outline transition plan for Companies House – GOV.UK (www.gov.uk)
  2. Guidance on the information sharing measures in the Economic Crime and Corporate Transparency Act 2023 – GOV.UK (www.gov.uk)
  3. R Elliott Associates v London Metal Exchange final judgment.pdf at para 174
  4. [2024] EWCA Civ 715 (27 June 2024)
  5. Behind the Masks Report Final_0.pdf (transparency.org.uk) at Appendix 3.
  6. [1] Wise_Payments_Limited_Disclosure_Notice_31AUGUST23.pdf
  7. [2] Report_of_Penalty_for_Breach_of_Financial_Sanctions_-_ICSL.pdf
  8. [3] Final Notice 2024: Starling Bank Limited
  9. [4] committees.parliament.uk/writtenevidence/130090/default/
  10. [5] Dozens of UK-linked firms suspected of busting Russian oil sanctions – BBC News
  11. [6] The Trade, Aircraft and Shipping Sanctions (Civil Enforcement) Regulations 2024
  12. [7] Office of Trade Sanctions Implementation – News and updates from Office of Trade Sanctions Implementation