ICAEW.com works better with JavaScript enabled.

Section 4: Enforcement

Author: ICAEW

Published: 09 Mar 2023

How rules are enforced, how breaches are investigated, the sanctions available and who adjudicates.

Enforcement is one of the key component parts of a rules-based regulatory framework – there is little point in having rules if they are not enforced, or capable of enforcement; indeed, we doubt they would otherwise be ‘rules’ at all. A sanctions regime may deter people from breaching the rules, as well as addressing issues when breaches have occurred. 

We focus below on:

  • investigations; 
  • sanctions available; and
  • who imposes sanctions and who adjudicates.  

Regulators may have other related responsibilities eg, to monitor activity in the regulated field for undesirable conduct (whether or not covered by existing rules) and to provide guidance and education if breaches occur (potentially as an alternative to imposing sanctions).

Enforcement involves some complex issues beyond the scope of this briefing, including, for example, rules of justice against 'double jeopardy', procedural and evidential matters (eg, impact of the requirement for criminal offences to be proved 'beyond all reasonable doubt').


The powers of a regulator to investigate breaches or suspected breaches of rules and to determine and apply sanctions will be contained in the relevant legislation. 

Regulators may employ a variety of tools to detect potential breaches of rules leading to an investigation, including having a programme for inspections of the regulated, monitoring the sector generally and monitoring complaints (including from 'whistleblowers' – see further below).

EXAMPLE: All UK audit firms that undertake PIE and large AIM/Lloyd’s Syndicate/Listed Non-UK audits are subject to Audit Quality Review inspections by the Financial Reporting Council (FRC) in respect of this audit work. The frequency of Audit Quality Review (AQR) inspections varies with larger firms inspected annually while other firms are generally inspected once every three years. 

Legislation (or contract in the case of self-regulation) will specify what powers the regulator may have to compel a regulated person (or others) to provide information or otherwise participate in an investigation.

More than one regulator may have power to investigate an event, for instance, some FRC investigations have been made in parallel with criminal or regulatory investigations by the Serious Fraud Office (SFO),  which is a specialist prosecuting authority tackling the top level of serious or complex fraud, bribery and corruption, or Financial Conduct Authority (FCA). 

Under statute there are certain protections for 'whistleblowers' (individuals making disclosures in the public interest) and there may be statutory or contractual duties on some to report breaches or suspected breaches of rules to relevant bodies (eg, under anti-money laundering regulations).

Sanctions available

There is a very wide range of sanctions available across the UK’s regulatory regime, including criminal sanctions resulting from prosecution under criminal law and civil sanctions for breaches of other rules. One regulator alone is reported as having employed 40 different powers. 

It is necessary to look at the applicable legislation (statute and secondary legislation) or contract (in the case of self-regulation) to see what powers of sanction are available to any given regulator. 

Sanctions include, by way of example only:


  • Power to withdraw or suspend licences to operate (eg, ICAEW’s disciplinary processes may lead to a person being excluded from its membership). 
  • Monetary penalties (sometimes loosely referred to as fines, which may be fixed amounts or applied on a case-by-case basis, ie, discretionary penalties).
  • EXAMPLE: Discretionary – In 2021 FCA reported a financial penalty of over £90 million against Lloyds group companies in a Final Notice referring to breaches of PRIN 3 and PRIN 7 related to communications with customers in the general insurance and protection sector.

    EXAMPLE: Fixed – Companies House operates a system of late filing penalties on companies under the Companies Act 2006, and HRMC operates a late filing and daily default penalties system under tax legislation.

  • Enforcement undertakings and other agreed remedies (eg, the Insolvency Service may accept a voluntary compensation undertaking instead of taking court proceedings). 
  • Making adverse regulatory findings public (naming and shaming).

Criminal sanctions 

  • Fines.
  • EXAMPLE: In 2021, FCA reported a fine of over £264 million against National Westminster Bank in 2021 for three offences of failing to comply with the Money Laundering Regulations 2007. This fine was levied by the Court following the FCA’s successful criminal prosecution of the bank (such fines are not paid to the FCA).

    EXAMPLE: Directors are personally liable to a criminal fine for late filing of accounts (see late filing penalties on companies, above). Companies House takes cases to court where it thinks that a criminal fine is warranted.

  • Imprisonment (normally available in relation to rules that are considered especially serious, but more common than may be widely realised, eg, applying to breaches of company law requirements including on keeping accounting records, unlawful assistance for the purchase of a company’s own shares, registers of interests, fraudulent trading etc). 

The relevant legislation will specify any limits on the exercise of the civil powers, for instance, maximum amounts of fines. Various guidelines also apply to the courts in relation to sentencing for criminal offences. Factors may include whether or not the regulated person co-operated with the regulator (eg, self-reported).

Sanctioning companies/corporations

A UK company is generally regarded as a 'person' in UK law, and so may be subject to sanctions (unless rules otherwise provide, for instance, rules that apply to individuals only). 

However, applying criminal sanctions to companies can be problematic, for instance where the offence involves establishing the state of mind of a person (eg, intent), the courts have determined that the company may be liable for the criminal acts of those who represent its ‘directing mind and will’ – a circumstance that may be hard to establish in practice. 

Some statutes include specific provisions to facilitate criminal enforcement against corporations, including the Corporate Manslaughter and Homicide Act 2007, and the Bribery Act 2010.

As an alternative to prosecuting a company, a prosecutor may agree to a Deferred Prosecution Agreement (DPA), under the supervision of a judge. The agreement allows a prosecution to be suspended for a defined period provided the organisation meets certain specified conditions. DPAs can be used for fraud, bribery and other economic crime. They apply to organisations, never to individuals.

Who imposes sanctions and who adjudicates?

Some regulators will be empowered to impose sanctions themselves, as noted above. This will be set out in the relevant legislation (or contract in the case of self-regulation).  No regulator will, however, be empowered to impose criminal sanctions, as that is a matter for the courts alone.  

Where regulators have both investigatory and enforcement powers, as a matter of fairness it is generally understood that there should be clear separation between the investigatory and disciplinary roles of regulators.  

This separation is often achieved by regulatory bodies establishing a separate committee or panel to determine liability to disciplinary action and sanction which operates independently from the regulatory body itself. 

EXAMPLE: ICAEW carries out its investigatory function ‘in house’ then puts the investigation report and recommendation to an independent investigation committee, which may refer the matter to an independent disciplinary committee.

Regulators may also have obligations relating to alternative dispute resolution procedures, eg, to offer consumers alternatives to seeking redress through the courts. Examples include the Financial Services, Pensions and Legal Services Ombudsmen.

EXAMPLE: Financial Services Ombudsman (FOS Ltd) handles complaints between financial businesses and their customers and can offer financial redress. The volume of complaints upheld against payday lenders had an impact on the regulation and practices in that sector. Responsibility for ensuring that the scheme operator is, at all times, capable of exercising its functions under FSMA rests with the FCA.

There will generally be a right for a person to contest a sanction that a regulator seeks to impose, for instance through one of the many tribunals for independent adjudication of contested cases in regulated sectors. These may be tribunals within the UK court and tribunal system or provided for by the regulator (with recourse to tribunals or courts where appropriate). For example, a sanction to be imposed by the Financial Conduct Authority can be contested in the Upper Tribunal, part of HM Courts and Tribunal Service. A sanction to be imposed by the FRC can be contested through an independent disciplinary tribunal, which the FRC is required by legislation to make available.

As noted above, regulators cannot impose criminal sanctions. Instead, a prosecuting authority will take a case to court for the court to decide whether to impose a sanction (and the courts’ appeals processes will apply).    

The main prosecuting authority is the Crown Prosecution Service, but regulators, such as the Health and Safety Executive, the Serious Fraud Office and the FCA (see fines above), may be prosecuting authorities for some offences.  

The SFO (see investigations above) is said to be unusual in the UK in that it both investigates and prosecutes cases.

Read the next section: Accountability

Sources/further reading