Case study

Case study

Reporting concerns about wrongdoing when working in-house

Reporting concerns about wrongdoing when working in-house

Related guidance

This case study should be read in conjunction with the following guidance: Reporting concerns about wrongdoing when working in-house guidance.

Below we have provided a number of case studies to illustrate how our expectations operate in practice. The expectations we have set out are based on the facts outlined in each scenario at that point in time. In all cases, we would expect solicitors to keep the actions they should take under review as a situation develops. The case studies focus on your regulatory obligations. Your contract of employment is likely to set out additional obligations.

Case study 1 - Suspected bribery in a private company

You are General Counsel at company A which has recently won tenders worth £20 million from company B.

The secretary to the Finance Director at company A, approaches you as they have concerns about some recent email correspondence they have seen. The email correspondence is from the director to a project manager at company B. The Finance Director recently emailed the project manager confirming that £10k has been transferred to the project manager's bank account and the email then says, 'Once you've sent me over the information we spoke about on Tuesday, I will send the final instalment of £30k as agreed.'

The secretary also tells you that the Finance Director sent them invoices for these amounts and asked them to forward the one for £10k to the finance team for payment. The director has now instructed them to submit the invoice for £30k to the team. The invoices state, 'services in respect of final site surveys/drawings and final construction consultancy as agreed.' They have not yet submitted the invoice to the finance team.

Regulatory considerations and expectations

Your client is company A. As a result of the information given to you by the secretary, you have suspicions that the Finance Director may have used and may be currently trying to use your client's money to bribe a member of staff at another company in order to win tenders for your client. This places your client at risk of reputational damage and being charged with a section 7 'failure to prevent bribery' offence under the Bribery Act 2010.

Reporting up within your organisation

We would expect you to report your suspicions up within your organisation. In the first instance, this is likely to be to the CEO, or equivalent, and if necessary, (for example, if your concerns are ignored or dismissed) to the governing board of company A.

If this does become necessary, you should explain to your CEO that you need to report your concerns to the Board to meet your regulatory obligations. You should keep written records of all internal escalation activity you take.

You would also need to provide legal advice as appropriate on action the company is obliged to take. This includes any duties to report externally, for example, to the Serious Fraud Office, auditors, shareholders and any relevant regulators if applicable.

You would need to provide advice that the payment of £30k should not be made until company A has established whether it is a legitimate payment for services.

Reporting outside your organisation

Although the Finance Director's secretary approached you with concerns, they did not ask you for legal advice and therefore the information is not confidential or subject to privilege.

You do not have a regulatory obligation in this scenario to report to any external organisation. However, you may decide that you want to make an external report (most likely to the Serious Fraud Office).

Case study 2 - Concerns about patient care on a ward

You are Head of Legal for a busy NHS Mental Health Trust. The Mental Health Act (MHA) Administrator has reported several incidents of unlawful detention of patients on a particular ward. The MHA Administrator responsible for ensuring overall compliance with the act has noticed through her audit activities that several detention papers for patients have expired and have not been renewed. They ask you to provide advice on the legal position of the Trust in regard to these particular patients and what steps the organisation can now take. The MHA Administrator also ask you to deliver some training on the importance of avoiding instances of unlawful detention to the ward staff.

When you get to the ward to deliver the training, the ward manager says that it will need to be rescheduled as the ward is short staffed and the patients are being challenging. You see a patient being violently restrained on the floor by six staff. On your way out, a patient comes out of his bedroom and tells you that there is a particular staff member who works the night shift who ties patients to chairs for hours at a time. They also report that sometimes the staff member will pinch and flick patients whilst they are bound to the chair and will often shout at them and call them horrible names.

Later that day you learn that the patient who was restrained that day has a broken arm and has been taken to A&E.

Regulatory considerations and expectations

Your client is the NHS Mental Health Trust. You know that some patients are currently being detained illegally, you have witnessed behaviour that you have concerns about and a patient has reported possible abusive behaviour to you. Your client is at risk of legal action (civil and law enforcement) and regulatory action, as well as at reputational risk. It is also possible that patients are at risk of being harmed.

Reporting up within your organisation

We would expect you to use the process in place at the Trust to report both the issue of unlawful detention and what you witnessed on the ward. You should additionally report your concerns to the Trust's Safeguarding Lead.

Reporting outside your organisation

What you have witnessed on the ward is not confidential or subject to privilege. The fact that detention papers have expired is likely to be confidential and may be subject to privilege.

If you think there has been a breach of the Trust's regulatory requirements, we would expect you to make sure a report is made to its regulator, the Care Quality Commission (CQC).

Also, if you are not satisfied that action will be taken to protect patients from harmful abuse, we would expect you to consider making a report to the police. You should keep a written record of whether or not you decide to make a report and the reasons for your decision.

From a regulatory perspective, although reporting to the CQC about the expiry of detention papers may be a breach of confidentiality, we would support you erring on the side of disclosure in these circumstances.

The duty of confidentiality is extremely important. However, where there are serious concerns about a failure to meet care standards to vulnerable patients, we would not want possible regulatory action to prevent solicitors from breaching their duty of confidentiality and disclosing confidential information.

Case study 3 - Anti-money laundering concerns in a commercial entity

You work for a large manufacturing business as a Group Company Secretary and Chief Governance Officer. Although the business is not supervised under the money laundering regulations, the Board of Directors has decided to appoint a Money Laundering Reporting Officer (MLRO). Alma has recently been appointed to this role and has provided a report to the Executive Committee highlighting serious concerns and has made several proposals to improve its operating model and processes.

The report contains details of a review of internal invoicing which has found that large sums of money have been received into the business with no obvious explanation. These were then sent to dubious suppliers under what appear to be false invoices. Alma has recommended all previous and upcoming payments to suppliers are investigated. She also says that upcoming and ongoing payments must be suspended if they cannot be readily explained, and that a suspicious activity report (SAR) should be raised with the National Crime Agency (NCA).

You have provided some advice on the legal risks. During the Executive Committee meeting, you give advice on the potential criminal and reputational consequences of offences under the Proceeds of Crime Act 2002. You say that this is a matter which is high risk and which should be prioritised. You advise that this matter should be escalated to the Board of Directors. You also say that an action plan should be set into motion and be adequately resourced and its progress should be overseen by the Board.

However, the CEO is reluctant to escalate this to the Board and says that this isn't a priority for them right now. The CEO tells Alma not to investigate or make a report to the NCA and says, 'We will only take action on this once we are certain something underhand is occurring, we are very busy and investigating this will annoy our suppliers.'

Alma, very concerned about her position as MLRO, resigns with immediate effect.

Regulatory considerations and expectations

As far as you are aware, there is no MLRO in position and no SAR has been made to the NCA. There are potential criminal and reputational risks to the firm if they fail to make a report and/or fail to act in relation to the suspicious payments.

Reporting up within your organisation

You should report to the Board of Directors and warn them about the issues and the risks of prejudicing an investigation under s.342 of the Proceeds of Crime Act 2002 (POCA).

Reporting outside your organisation

You should make a SAR under ss.337 and 338 POCA using the NCA'sonline SAR reporting system. As well as meeting your regulatory obligations, making such a report will also protect you from allegations of becoming involved in money laundering (see our separate guidance on proceeds of crime).

If you do make a report, you will have to keep your own records and make sure that they remain confidential to those who need to know. In this scenario, you are not working within scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, so the offence of tipping off under s.333A of the Proceeds of Crime Act 2002 would not apply.

You should, however, still think carefully before informing the subject of a SAR (or anyone who does not need to know) that one has been made. Prejudicing an investigation is an offence under s.342 PoCA, and a person commits an offence if they make a disclosure that is likely to prejudice an investigation or tampers with (or permits others to tamper with) documents that are relevant to an investigation. You may also place yourself and those in your firm in danger of harm.

SARs are documents of the utmost confidentiality, and the system will only work if this is maintained.

Case study 4 – The Governing Board rejects advice and decides to act illegally

You have recently joined a small furniture company (company C) as its sole in-house counsel. Your CEO tells you that they want to make an informal agreement with another furniture company (company D) not to compete on price to help both companies with their profit margins. You advise that this would be a breach of competition law and set out the possible implications for the company.

The issue is discussed at the next Board meeting, where the decision is made to go ahead anyway as it is felt the benefits outweigh the risks.

Regulatory considerations and expectations

Your client is company C. It is planning to breach competition law which puts it at risk of legal action (civil and law enforcement) as well as at a reputational risk. As the Board have decided to continue with the agreement despite your advice that this is illegal, you should carefully consider whether and how you can continue to work for company C whilst meeting your regulatory obligations. Remember that if you continue to work for it, you must not be complicit in their illegal actions.

Reporting up within your organisation

In this case, you have already provided appropriate advice to the Board. You have therefore met your regulatory obligations in respect of reporting up.

Reporting outside your organisation

There is no legal or regulatory obligation on you to report to an external authority in this scenario. However, if you decided that you wanted to make an external report (most likely to the Competition and Markets Authority), you should consider how you can do so without disclosing confidential information. Whether or not you do this, you must be careful not to become complicit in the organisation's illegal actions.

Case study 5 - Contractual obligations private sector

You are an in-house solicitor working for a small company (company E) that provides staff to set up exhibition stands at conferences. You are the only solicitor at the company and you report directly to the CEO. The company has a contract with a large conference centre to provide 10 staff every Saturday and Sunday to erect exhibition stands by 8.00.

The company is struggling financially and the CEO asks you for some legal advice and says to you, 'I know we probably have a contractual obligation here, but I'd like to reduce the number of staff we send to seven without impacting the amount we get paid. They'll probably still have the exhibition stands ready by 8.45 and the conferences rarely start before 9.00.'

Regulatory considerations and expectations

If the CEO went ahead with reducing the number of staff provided to the conference centre, they would be in breach of their contract. This would put them at risk of legal action with possible financial and reputational implications.

Reporting up within your organisation

We would expect you to provide the CEO with advice about the possible implications of breaching company E's contract with the conference centre. If they decide to proceed despite your advice, you could report up to the governing board, but it would not be a breach of our regulatory requirements if you did not do so. This is because it is legitimate for the CEO to consider the trade-off between the costs of complying with the letter of the contract and the risk of having to pay damages if conference centre took action for breach of contract. This is particularly the case as the CEO considers that the outcomes required by the contract will still be met.

Reporting outside your organisation

There are no legal or regulatory obligations to report outside of your organisation in this scenario.

Case study 6 - Concerns about workplace culture

You are working as an in-house solicitor for a local authority. The CEO approaches you to draft a settlement agreement with a former employee in relation to allegations of sexual harassment that they have made against a senior manager. You know that two other in-house solicitors have drafted similar settlement agreements about the same senior manager in the last two years.

Reporting up within your organisation

We would expect you to provide advice about the risks attached to the alleged behaviour of the senior manager and the culture that is enabling that behaviour to continue. In the first instance, this would be to the CEO and, if necessary, to the Board or committee above them. This advice should include the risk of proceedings being brought by the former employees as well as the risks caused by any repetition of their conduct in the future.

In considering drafting any settlement agreement, you must:

  • be careful not to take unfair advantage of the former employee (paragraph 2 of the Code of Conduct for Solicitors, RELs and RFLs)
  • not attempt to prevent anyone from providing information to us or any other body exercising regulatory, supervisory, investigatory or prosecutory functions in the public interest (paragraph 7.5 of the Code of Conduct for Solicitors, RELs and RFLs).

If you are unable to draft the settlement agreement and act in a way that is consistent with our requirements, you must decline to act. You may find our warning notice on non-disclosure agreements helpful.

Reporting outside your organisation

If this behaviour occurred by an individual or in a firm regulated by us, you would have a duty to report to us and we would investigate. We have published separate guidance on sexual misconduct.

You should consider whether there is any obligation on you to report to any other regulator if the senior manager is regulated.

If the underlying conduct comprises a criminal offence, we would expect you to carefully consider whether to make a report to the police. You should record your decision and the considerations that you have considered in reaching that decision.