White Collar Crime And Government Investigations – Global Round-Up Of Enforcement Trends And Legal Developments

EU: Implementation of the Directive criminalising breach of EU sanctions

EU restrictive measures have taken on a central role in the response to geopolitical crises, yet the absence of uniform rules has long hampered enforcement. Directive (EU) 2024/1226 (the Directive), adopted in April 2024, introduced common minimum rules on offences and penalties for violations of such measures. Member States had until 20 May 2025 to transpose the Directive into national law.

However, implementation has been delayed in several Member States. The position in Italy, France, Germany and Spain is as follows:

Italy

• Italy's implementing decree acts on two main fronts: defining new criminal offences and strengthening corporate compliance obligations, including through the extension of Legislative Decree No. 231/2001 and whistleblowing rules.
• The decree inserts a new chapter into the Criminal Code creating offences "against the foreign policy and common security of the European Union". Article 275-bis broadly criminalises conduct violating EU restrictive measures, including providing funds to designated persons, failing to freeze assets, conducting prohibited transactions and providing services related to listed products, as well as circumvention.
• Financial penalties for entities are calculated as a percentage of global annual turnover (0.5–5%), potentially reaching billions for large groups.   Where turnover cannot be established, fixed ranges apply (ranging from €3 million to €40 million based on the seriousness of the violation). 

France

• A bill of law was proposed on 3 March 2026 defining criminal offences involving violations of EU restrictive measures and the applicable penalties under French law.
• Under the current draft, fines may be as much as 5% of the relevant entity's total worldwide revenue for the preceding financial year. If the fine cannot be calculated as a percentage, an amount up to €40 million will be imposed.
• The bill doubles the maximum fine for organised group violations to 10% of total worldwide revenue (or up to €80 million where the fine cannot be calculated as a percentage).

Germany

• With considerable delay, and only after the European Commission had initiated infringement proceedings, the German legislator transposed the Directive in February 2026. Most offences were already criminal offences under the Foreign Trade and Payments Act (Außenwirtschaftsgesetz (AWG)), but several additions were required for EU harmonisation. The reform brings substantial changes to sections 18 and 19 AWG and section 82 of the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung).
• The reform aims to increase deterrence and will result in a significant increase in liability and reputational risks for companies. It includes in particular:
  • upgrading of some administrative offences to criminal offences, including breaches of financial sanctions and transaction bans, as well as the concealment of assets to circumvent sanctions;
  • criminal liability for reckless violations concerning dual-use goods; 
  • tougher penalties, including maximum corporate fines of up to €40 million (plus confiscation of profits) for intentional sanctions breaches;
  • broader reporting obligations; and
  • abolition of the previous 48-hour grace period for newly announced sanctions, requiring immediate compliance upon publication.

Spain

• The Spanish Council of Ministers approved the bill transposing the Directive in October 2025, but this bill is still undergoing parliamentary proceedings prior to its final approval. 
• The most relevant measures set out in the draft bill include:
  • creation of a new offence covering activities such as breach and evasion of sanctions;
  • monetary penalties of up to 1% or 5% of entities' global turnover; and
  • the creation of a governing body for the enforcement of EU restrictive measures, which will also be responsible for cooperation and collaboration in the sanctions space.
• Given Spain's significant backlog of untransposed directives, there is uncertainty as to when the Directive will be transposed.

Middle East: Conflict in the Middle East

The recent escalation of conflict in the Middle East has materially reshaped the regional risk landscape for sanctions compliance and financial crime, creating a volatile environment for businesses, financial institutions and consumers alike. Geopolitical instability is translating directly into heightened enforcement scrutiny, increasing exposure across both traditional financial channels and emerging risk areas, including through the following:

• Sanctions. As firms reconfigure shipping routes and supply chains to maintain continuity, reliance on unfamiliar counterparties, alternative logistics pathways and layered commercial structures has grown, heightening the risk of inadvertent sanctions breaches.
• Cryptocurrency and digital assets. The conflict has intensified scrutiny of digital assets as both a sanctions-evasion tool and a mechanism for rapid capital movement, particularly in relation to Iran’s increasing reliance on cryptocurrencies while largely cut off from the international financial system. Blockchain data reported during the conflict shows substantial crypto outflows from Iranian exchanges, with analysts linking some activity to sanctioned state actors and describing cryptocurrencies as a form of “shadow banking", creating significant regulatory risk for businesses and financial institutions engaging with digital assets in the region.
• Shipping and "Shadow Fleets". Similarly, heightened security threats and insurance withdrawals have pushed some operators out of key Gulf routes, while sanctioned actors have continued to rely on “shadow fleet” vessels that operate outside standard regulatory frameworks. This has increased exposure for banks, insurers and counterparties involved in trade finance and maritime services, particularly where vessel ownership, flagging and cargo movements are deliberately obscured in order to sustain flows through restricted routes.
• Rise in consumer scams. The conflict has driven a surge in opportunistic fraud as scammers exploit fear, urgency and information gaps created by rapidly evolving events. The United States Federal Trade Commission, for example, has warned of a rise in scams that reference the Iran conflict to pressure victims into sending money or disclosing sensitive financial information.

These risks underscore how quickly geopolitical conflict can translate into sanctions and financial crime exposure across multiple sectors. Organisations operating in or connected to the region should expect sustained regulatory scrutiny and ensure that sanctions, financial crime and fraud risks are closely monitored.

South Africa: Overdue changes to whistleblowing regime

South Africa recently released the Protected Disclosures Bill, 2026 (the Bill), for public comment, which proposes a wholesale replacement of the Protected Disclosures Act, 2000 (the Act).

The need for reform is evident — a report submitted by the National Anti-Corruption Council in August 2025 revealed that only 45% of respondents indicated they would report corrupt behaviour. This is primarily due to fear and weak law enforcement. Unfortunately, under the Act, it is often easier to participate in corruption than to expose it.

Against this backdrop, the Bill seeks to address these issues by aligning South Africa’s whistleblowing framework more closely with international best practice. For example, similar to the EU Whistleblowing Directive, the Bill extends protection beyond traditional employees to include contractors, consultants, volunteers and trainees, as well as related persons and those assisting the discloser. 

The changes proposed in the Bill are of paramount importance given the severe risks faced by whistleblowers in South Africa, which range from job loss to, in extreme cases, death. Notably, the Act provided no financial incentive to encourage reporting, unlike the United States and, to a lesser extent, Canada. The Bill addresses this by introducing a discretionary reward system which allows courts to grant whistleblowers up to 25% of any monetary sanction resulting from their disclosure, where their evidence materially contributed to a conviction.

Other key changes reflected in the Bill are summarised as follows: 

• Expansion of the definition of "improper conduct" to include a wide range of unlawful, unethical and irregular activities in both the public and private sectors.
• Protection extends to a broader category of “detrimental action” against disclosers and related persons. This captures intimidation, harassment, personal harm and damage to property or livelihood. 
• Enhanced confidentiality: the Bill prohibits disclosure of the whistleblower’s identity, including any information likely to lead to identification (unless consent is provided). In addition, courts are expressly empowered to hear evidence in camera and to require the redaction of identifying material.
• The Bill provides for a shift in the burden of proof in that once a whistleblower shows a protected disclosure and related harm, the employer must prove the action was not retaliatory.
• Clearer reporting procedures and obligations. 
• A centralised database for disclosures. 
• Introduces criminal liability for certain forms of retaliation.

The Bill can be accessed here.

Asia: AML/KYC enhancements in the Japanese banking sector

Effective April 2027, under the Act on the Prevention of Transfer of Criminal Proceeds (APTCP), Japan will require financial institutions to confirm customers’ identities via chips embedded in ‘My Number’ identity cards or driver’s licences for all remote account openings. This replaces the current practice of accepting images or photocopies of identity documents. Customers without 'My Number' cards or driver's licences may still submit original residency certificates or tax documents by mail.

The change will apply to natural persons acting in both their personal capacity and their corporate representative capacity in "Specified Transactions" (as defined under the APTCP) but will not apply to corporations as it relates specifically to personal ID documents.

The change is designed to prevent fraudulent accounts opened under stolen identities, bank transfer scams and telephone banking fraud. It occurs against a backdrop of similar shifts by regulators around the world, such as the European Union’s eIDAS Regulation and EU Digital Identity Wallet, and Singapore’s Singpass system. However, Japan’s mandatory, nationwide shift to chip-based verification for remote financial services sets a particularly high standard for AML/KYC compliance in the banking sector.

In addition, an earlier revision to the APTCP, effective June 2023, imposes notification requirements on Cryptoasset Exchange Service Providers and Electronic Payment Instruments Service Providers (collectively VASPs). Commonly known as the “travel rule”, the APTCP now requires originator VASPs to notify beneficiary VASPs of originator and beneficiary information at the time of the transfer of cryptoassets (virtual assets or VAs) or electronic payment instruments (stablecoins or SCs). The travel rule enables regulators to track the transaction routes of VAs/SCs, which helps to combat the use of VAs/SCs for money laundering purposes.

Asia: China enforcement update on speaker fees

Since late 2025, regulatory scrutiny of speaker/expert fees in China’s pharmaceutical sector has intensified, with the focus shifting from procedural compliance checks to substantive review.   Regulators have drawn clearer compliance boundaries, supported by authoritative guidance and targeted penalties. The overall enforcement message is clear: academic activities must not be used to disguise improper transfers of value, and both pharmaceutical companies and healthcare providers (HCPs) may face accountability.

The latest compliance framework is anchored in guidance issued in January 2026 by the Central Commission for Discipline Inspection and the National Supervisory Commission, entitled “How to Identify Illegal Receipt of Speaker Fees”.  The guidance identifies four core red lines for speaker fee compliance:

• the HCP has not obtained prior written approval from their medical institution; 
• the lecture lacks substantive academic content or includes direct promotion of pharmaceutical products; 
• the fee significantly exceeds officially recognised industry standards for academic labour remuneration; and 
• the payment is directly linked to prescription volume or product sales targets. 

Enforcement actions from late 2025 illustrate how regulators were already applying principles that would later be explicitly consolidated in the January 2026 guidance.   For example, in October 2025, a Shanghai regulator penalised a company for fabricating 587 academic meetings, forging participant lists and recharacterising routine internal meetings as academic events between 2022 and 2024.   The company paid RMB 609,800 in improper speaker fees to HCPs and was fined RMB 400,000.

Regulatory actions confirm that “substance over form” is the governing standard for speaker fee compliance. Companies can no longer rely on formal documentation alone and should verify the authenticity and substance of each activity. They should also align fee levels with official standards, obtain prior institutional approval for HCP participation and avoid any link between speaker payments and sales performance.

US: Ongoing developments in enforcement practice

In recent months, the Department of Justice (DoJ) and Securities and Exchange Commission (SEC) have continued to refine their corporate enforcement practices.

In February 2026, the SEC announced the first updates to its enforcement manual since 2017, revising policies on the Wells Notice process, settlements and cooperation credit.

• The manual refines the Wells process (by which SEC staff informs a target of its intent to recommend enforcement action and provides an opportunity to respond), along lines announced by Chairman Paul Atkins last October. Key changes include: (i) requiring multiple levels of approval to issue a Wells notice; (ii) requiring staff to disclose “salient, probative evidence” of which recipients may not be aware and to make reasonable efforts to share the investigative file; and (iii) additional guidance on response timing and content.
• The manual also revives an SEC policy allowing recipients to submit requests for consideration of offers of settlement simultaneously with requests for waivers from certain otherwise automatic consequences of enforcement action.
• The updated cooperation provisions focus primarily (and perhaps unsurprisingly) on corporate respondents, including:  (i) emphasising that self-reporting credit is inappropriate when the matter is known via media reporting or another regulator's investigation; (ii) raising the threshold for non-prosecution agreements to “exceptional circumstances”; (iii) highlighting examples of effective remediation; and (iv) guidance on the timing and extent of cooperation beyond legal requirements.

On 10 March 2026, DoJ announced a new Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, providing a uniform framework across all DoJ components except the Antitrust Division and superseding all preexisting policies.  DoJ largely adopted Department-wide the framework of the Criminal Division’s comparable policy, which was revised in May 2025, and establishes a three-tiered structure: (i) declination cases; (ii) “near-miss” cases; and (iii) cases without voluntary disclosure or full cooperation.

Factors determining categorisation include: (i) timely self-report of previously unknown conduct to the appropriate division when not facing an imminent threat of discovery; (ii) full cooperation; (iii) timely and appropriate remediation; and (iv) absence of aggravating circumstances.   A corporation that fails to qualify for declination solely due to aggravating factors or its self-report not qualifying as voluntary self-disclosure under the policy will qualify as a “near miss” and will be offered a non-prosecution agreement with a term of less than three years, no compliance monitor, and a 50-75% reduction from the low end of the applicable US Sentencing Guidelines fine range.   All other cases remain subject to prosecutorial discretion.

Curiously, just two weeks earlier, the United States Attorney’s Office for the Southern District of New York (SDNY), the premier federal prosecutor’s office for major financial crime and misconduct affecting market integrity, had released its own Voluntary Self-Disclosure and Cooperation Program for Financial Crimes. Under the SDNY’s policy, companies that (i) self-report qualifying illegal activity; (ii) cooperate fully; (iii) commit to ongoing reporting of criminal conduct for three years; and (iv) remediate harm (including paying restitution) will receive a conditional declination “shortly after" self-reporting. This marks the first time any DoJ component has offered a conditional declination so early in the investigative process, extending unprecedented leniency and certainty. While commentators speculated that the Department-wide policy superseded the SDNY’s programme, US Attorney for the SDNY, Jay Clayton confirmed publicly in April that SDNY’s policy remained viable after the announcement of DoJ’s “Department-wide” policy and, indeed, the SDNY’s voluntary self-disclosure program remains published and in force on DoJ’s website.

Australia: ASIC's 2026 enforcement priorities

ASIC has entered 2026 signalling a sustained uplift in its enforcement agenda, building on its doubling of new investigations and court proceedings in 2025. ASIC's key 2026 enforcement priorities encompass three key focus areas, including corporate crime and financial fraud, namely:

1. Strengthening insider trading investigations and prosecutions, with a continued focus on market integrity.
2. Expanding criminal prosecutions for financial fraud, alongside seeking longer custodial sentences for serious offending.
3. Intensifying scrutiny of financial reporting misconduct, particularly as private credit funds and superannuation vehicles play an increasingly significant role in the Australian economy.

Aspects of this agenda are already translating into tangible enforcement outcomes. Since late 2025, ASIC has:

• achieved A$ 250 million in combined penalties for market misconduct against a major Australian Bank, “the largest combined penalties ASIC has ever secured against a single entity"; 
• secured a 14-year prison sentence for West Australian fraudster Chris Marco, the longest sentence imposed by an Australian court in relation to an ASIC criminal investigation; and 
• brought 19 criminal proceedings relating to director duties and governance failures.

We expect ASIC to maintain a focus on these enforcement outcomes in 2026 with a continued emphasis on individual accountability and corporate liability.

Australia: Regulators increased focus on AI-enabled corporate crime

The rapid advancement of artificial intelligence has altered Australia’s financial crime risk profile. While AI offers efficiencies for financial institutions, it has simultaneously provided fraudsters with powerful tools to scale, automate and industrialise misconduct.

In early 2026, public reporting highlighted the widespread use of generative AI to facilitate large-scale mortgage and lending fraud across major Australian banks. Fraud networks were alleged to have deployed AI tools to generate highly sophisticated false income statements, invoices and other business records to bypass traditional verification processes and secure home loans. Suspected fraudulent lending linked to these practices has been reported in the hundreds of millions of dollars. In response, AUSTRAC commenced an industry-wide review, issuing data-sharing requests to Australia's major banks and scrutinising mortgage books to assess the nature and extent of the misconduct.

This regulatory response aligns with a broader global escalation in AI-enabled‑financial crime, particularly in relation to cyber threats driven by frontier AI models such as Anthropic’s Mythos. APRA recently warned Australian banks that advanced AI models like Mythos are likely to significantly increase the probability, speed and scale of cyberattacks. It has also made clear its expectation that boards and executives strengthen AI literacy, governance frameworks and security controls, and has signalled an increased willingness to intensify supervision and enforcement where AI-related risks are not adequately managed.

Taken together, these developments convey that technology-enabled financial crime will attract heightened supervisory and enforcement attention, particularly where governance, accountability and risk management frameworks fail to keep pace with rapid technological change.