What are some of the recent key developments in the Irish white-collar crime landscape that in-house counsel should be aware of?
The Irish white-collar crime landscape has seen some significant developments in the past 24 months, including the introduction of a swathe of regulations and legislation intended to increase compliance (including through enforcement activity) across various industries. Irish regulators have been increasingly equipped with enhanced powers to monitor, detect and prosecute white-collar and corporate offences, bringing increased focus on compliance on board agendas.
One of the most significant recent reforms has been the establishment, in July 2022, of the Corporate Enforcement Authority (‘CEA’). The CEA investigates and prosecutes breaches of Irish company law, replacing the former Office of the Director of Corporate Enforcement (‘ODCE’). The statutory functions of the CEA are similar to its predecessor, however it now operates as an independent statutory agency. More funding has been committed to the CEA to ensure that it has the appropriate resources to effectively fulfil its mandate. Separately, the powers and capabilities of the CEA are expected to be enhanced via the introduction of relevant legislation in due course.
The CEA has already brought a number of prosecutions throughout 2023 (notably against individuals rather than companies) including:
- Prosecuting a former director of a property management company, following an investigation into allegations of fraudulently removing company property in the period immediately preceding the company being wound up.
- Prosecuting, in cooperation with the Irish Data Protection Commission (the ‘IDPC’), a former director for offences relating to the provision of false information to an electronic filing agent.
- Carrying out an ongoing investigation into the Football Association of Ireland (‘FAI’).
The current CEO of the CEA has clearly signalled that the CEA will seek to increase its investigations, which will likely result in further prosecutions in the near future.
Do other regulators or agencies have a role in prosecuting economic crime or have enforcement responsibilities, and if so, how active are they?
Yes – whilst the Director of Public Prosecutions (‘DPP’) is the authority responsible for prosecuting the most serious criminal offences on indictment, most Irish regulators have the power to investigate and prosecute summary offences within their remit. Some regulators, such as the Environmental Protection Agency and the Health and Safety Authority, have a track record of commencing prosecutions more frequently than others. However, in the past 12 months we have observed an increase in prosecutions and enforcement activity from other regulators. For example:
- The IDPC has the power to prosecute summary offences under the Data Protection Act 2018 and ePrivacy Regulations as well as to issue administrative fines and use corrective powers. It successfully prosecuted a number of companies for breaching rules on direct marketing throughout 2022-2023. Given Ireland’s role as the ‘one-stop shop’ under the GDPR for many of the world’s largest companies, the role of the IDPC in enforcement in data privacy matters should continue to be on the radar of in-house counsel, particularly in light of the size and scale of the fines it has imposed on entities within the past 12 months.
- In the context of criminal offences, the Irish financial regulator, the Central Bank of Ireland (‘CBI’), has the power to prosecute summary offences for breaches of certain Irish financial services legislation and regulation. However, it is fair to say that the CBI more frequently works closely with other law enforcement agencies and prosecutorial bodies. In October 2023, a businessman pleaded guilty to the offence of insider dealing under Regulation 5 of the Market Abuse Regulations and Section 1368 of the Companies Act 2014, following a referral from the CBI to the Garda National Economic Crime Bureau. This was the first conviction for this offence in Ireland, and demonstrates the willingness of both the CBI and the GNECB to tackle market abuse in Ireland, and to hold individuals to account.
Looking forward to 2024 and beyond, what trends are you seeing in the white-collar crime/regulatory enforcement space?
The continued and increasing regulation of technology imposes additional risk of liability to criminal sanction and enforcement both for companies and directors across all industry sectors. As well as being alert to fraud and corruption risk, AI, content regulation, data privacy and cyber-attacks are all increasingly becoming central and recurring agenda items for corporate boards. The financial and reputational consequences arising from compliance failures in these areas are simply too great to be ignored.
In terms of data and online content regulation, the recent enactment of the Online Safety and Media Regulation Act 2022 (the ‘OSMR Act’) has heralded the arrival of a new regulator, Comisiúin na Meán (the Media Commission), responsible for overseeing compliance with new regulations (including under the EU Digital Services Act) for broadcasting providers, video-on-demand providers and video sharing platforms (including certain social media platforms). The OSMR Act has introduced a number of requirements on in-scope entities to monitor and combat harmful and/or illegal online content. Comisiúin na Meán can also prosecute certain summary offences under the Act, which, depending on the category of offence, carry a penalty of up to a €5,000 fine and/or 12 months’ imprisonment. As Comisiúin na Meán settles into its new role we anticipate there will be an uptick in investigations and potential enforcement action.
Over the past 18 months we have also observed a marked increase in clients who have been the victim of a cyber/ransomware attack, with the attacks becoming increasingly sophisticated and paralysing for the businesses concerned. This is consistent with global trends and we expect cyber-resilience and incident response to remain a top priority for boards looking into 2024 and beyond.
Turning to the financial services sector, the Central Bank (Individual Accountability Framework) Act 2023 (the ‘Act’) was enacted on 9 March 2023. The Act introduces significant regulatory reform with the ultimate objective of driving improved governance and accountability within the financial services sector. The CBI’s key enforcement tool, the Administrative Sanctions Procedure (the ‘ASP’) has been reformed and enhanced under the Act. A key change to the ASP under the Act is that the CBI can now take enforcement action directly against an individual for breaches of their obligations, rather than only in respect of their participation in breaches committed by a regulated financial services firm.
Finally, the new Markets in Crypto Assets Regulation (‘MICAR’) will come into force in Ireland in 2024 and will increase the level of regulation of the crypto-asset industry in Europe. A number of large crypto exchanges have chosen Ireland as their regulatory hub and we expect to see this industry grow, which will bring with it increased compliance and enforcement activity from the CBI as the national competent authority under MICAR.