The question for regulators and prosecuting agencies at the moment is whether they can, or should, enforce regulatory requirements and legislation to the same extent as they did before the coronavirus pandemic.

Corporates and individuals are facing incredible challenges, from the difficulties posed by remote working to budgetary and time constraints. Should they accept that corporates and individuals cannot operate at the same high level of regulatory compliance? Should they be more lenient if they make mistakes due to the environment in which key decisions must now be taken?

Regulators and prosecuting agencies alike are facing challenges in a wide variety of areas, including resourcing, technology and the prioritisation of risks. This means that many are struggling to complete the supervisory agendas they had set for 2020 and to follow up on how the regulated are implementing the requirements or guidance.

Given the stretch on resources, it is inevitable that both corporates and regulators will make mistakes. The need to prioritise resource in some areas will undoubtedly mean that other areas do not receive as much attention as before.

In such times, it is vital that corporates and senior managers avoid ‘group think’ or ‘snap decisions’ and have a clear record of the rationale for any decisions that need to be made. This should be done with specific consideration as to the individual corporate, its senior management and its customers or clients.

Overall, regulators have been keen to point out that while we all face challenges during the lockdown and as we emerge from it, it is the spirit as well as the letter of regulation that must be followed.

The benefits of hindsight

The risk for many corporates and senior individuals is that decisions they take during the current highly unusual and pressurised circumstances will be reviewed with hindsight by regulators and prosecutors after the pandemic has passed. This is likely to result in significant financial penalties, business restrictions and potentially criminal prosecutions in some cases.

In the UK, the Financial Conduct Authority (FCA) has stressed that firms should continue to be led by the Principles for Businesses, the existing rules and the guidance the FCA continues to publish.

Mark Steward, the FCA’s executive director for enforcement and market oversight, recently stated that a “broad but overwhelmingly fundamental point” was often a failure by firms and their senior managers to engage directly or explicitly with the Principles for Business in deciding, carrying out or managing the problematic conduct. Mr Steward also stated that the Principles should be “an integral part of the operational process of planning or decision making at all levels and as a way of overseeing and assessing whether the firm’s conduct remains appropriate”.

As well as indicating a move toward outcomes based regulation and enforcement, a range of regulators, including the FCA, have flagged a shift toward using their enforcement tools to not only detect and penalise breaches, but to also prevent them in the first place.

These changes are significant as they illustrate the potential for regulators to use greater hindsight in assessing the past conduct of corporates and individuals, based on the outcome.

The prevention of breaches brings its own challenges. Prevention would require significantly more resource and intervention, neither of which is likely during the pandemic or for some time thereafter. Principles-based regulation or legislation has always required interpretation by both the regulator and the regulated. Regulators and prosecuting agencies will continue to be stretched by this current approach without adding prevention to their list of objectives as well.

The risks of acting flexibly

Various regulators and prosecuting agencies have indicated that there will be some relaxation or flexibility of both their supervision and enforcement of regulatory requirements or legislation during the pandemic, usually in specific scenarios. For example, the FCA recently said firms could apply more flexibility to how they conduct customer on-boarding and due diligence in a remote environment.

However, one can readily foresee that – based on the same guidance making it clear that any actions must still comply with the Money Laundering Regulations 2017 (MLR) – there is a risk that any flexibility could result in a judgement by the FCA based on hindsight that the corporate and its senior management failed to comply with the MLR.

When taken into account in conjunction with the FCA’s increasing focus on criminal prosecutions for anti-money laundering (AML) failings, the risks of acting flexibly are significant. There has been no clear statement from the FCA that it will not seek to take action where potential failings are subsequently identified.

While the Serious Fraud Office (SFO) in the UK has had to halt conducting some interviews, in the US the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and others show no sign of taking their foot off the gas in relation to their enforcement actions and criminal prosecutions. They have acknowledged the difficulties and indicated that they are trying to be sensitive to the realities of what everybody is dealing with, but their actions speak louder than words.

The DOJ and SEC may well face significant difficulties in gathering evidence, but they continue to investigate and take action in a variety of cases. High profile examples include selecting the monitor for Ericsson, continuing investigating Raytheon, nearing a settlement with Herbalife and the SEC beginning its investigation of South Korean telecoms company KT Corporation.

In contrast, the UK Information Commissioner’s Office (ICO) has announced that it will relax enforcement of data protection laws in certain circumstances during the pandemic. Data legislation had already been relaxed in April to allow for the use of the public’s mobile data for generalised location data trend analysis, including contact tracing.

The European Data Protection Board (EDPB) also recently released a statement along the same lines, outlining that its approach to data protection will be eased while the virus is drastically affecting public life. This included reference to supporting contact tracing and how data can be used to combat and exit the pandemic.

This relaxation seems to be narrowly focused on combatting the pandemic and is not an indication that data breaches or failings in other areas will go without investigation or sanction.


While regulators and prosecutors are facing challenges including resourcing and evidence gathering, the vast majority continue to have their teeth and are keen to use them.

Corporates and senior management will need to take steps to protect themselves from decisions they make now coming back to bite them after this pandemic.

This article was originally published by Financier Worldwide as part of a special report on white collar crime. 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Written by

Noline Matemara

Noline Matemera

Date published

17 June 2020


View all