Vetting and anti-corruption part 1: How effective is the National Crime Agency at dealing with corruption?

Published on: 20 June 2023

Summary

The National Crime Agency (NCA) is the UK’s lead agency in the fight against serious and organised crime. It manages intelligence and information that requires the highest levels of security. The NCA takes this very seriously and has technology in place to prevent external penetration of its systems.

The protection of information held by the NCA requires good cybersecurity (access to IT systems), physical security (access to premises) and personnel security (trustworthiness of staff). The introduction of the NCA’s integrated protective security (IPS) department in early 2022 shows that the NCA considers and adapts to protect the information it holds. Within IPS, the personnel security department has three teams: a vetting department, an anti-corruption unit (ACU) and a professional standards unit (PSU).

We found that staff understood their responsibilities to keep premises, systems and information secure and the consequences of failing to do so.

Vetting

The NCA has a vetting process that completes security clearances beyond the standards set out for government departments by the Cabinet Office. We found that there were sufficient staff in the vetting team to manage demand and prevent a backlog of vetting checks.

We didn’t inspect the NCA’s vetting records to the same depth as our recent inspection of police vetting records. However, based on our fieldwork in the NCA, we found indications of greater aversion to risk. NCA interviewees told us they would be very reluctant to provide vetting clearance to individuals with, for example, family connections to people with criminal records.

Our only concern about the NCA’s vetting process is the willingness of its staff to report concerns about their colleagues. We cover this in our section on prejudicial and improper behaviour.

Anti-corruption

We found that the ACU usually investigated to a good standard, using covert tactics when necessary. However, the investigations we reviewed were often limited to the original allegation and weren’t used to explore potential wider corruption or misconduct. This has been recognised by the IPS leadership and investigators are instructed to extend the scope of their investigations. This change of approach is too recent for us to evaluate its impact on corruption.

The ACU does very little activity that isn’t acting on specific intelligence. The agency is investing in IT monitoring to be able to automate searches to find unauthorised access and use of its systems. This has been available to policing for some time now (though not all forces use it) and the NCA needs to have this capability.

Prejudicial and improper behaviour

We found that there was generally a positive and inclusive culture in the NCA, where prejudicial and improper behaviour (see Annex A for definition) wasn’t tolerated by colleagues. This was particularly the case in the NCA’s two headquarter sites. However, we found significant evidence of prejudicial and improper behaviour in units and teams based in satellite offices.

In too many cases, this behaviour was allowed to continue, not least because of poor leadership. We found that there were:

  • inconsistency in the standards of behaviour senior leaders considered acceptable;
  • confused messaging about the expected standards of behaviour; and
  • inconsistent decision-making in misconduct cases involving sexual harassment and dishonesty.

All of this sends signals to the workforce that poor behaviour isn’t worth reporting because senior leaders tolerate it. This is reflected in the NCA’s staff surveys and the evidence that we gathered. This lack of confidence results in low levels of internal reporting, meaning that vetting reviews may not be based on a full picture of an individual. This leads to a weaker personnel security process. The agency plans to introduce a confidential reporting process to improve the flow of information about colleagues.

The agency says on its website that “diversity is one of [their] greatest strengths”. The NCA Inclusion Culture Strategy shows that the proportion of women and ethnic minorities in its workforce is comparable to the national working population. These same groups, however, are underrepresented at senior grades and in operational roles. The agency needs to add clear and ambitious targets to its inclusion plans to make sure it improves representation across all areas of its workforce.

Many of our findings in the NCA are broadly similar to those in our inspection of police vetting, misconduct and misogyny. In that report we made many recommendations. Some may be of as much relevance to the NCA as to police forces. Therefore, we would encourage the NCA leadership to carefully review them.

Recommendations

We make 19 recommendations.

Recommendations

Recommendation 1

By 31 March 2023, the National Crime Agency should include reminders of vetting and anti-corruption policies in the annual appraisal process of all staff.

Recommendations

Recommendation 2

By 31 December 2022, the National Crime Agency should review the people risk meetings between the integrated protective security department and HR to make sure all relevant information about individuals of concern is shared regularly.

Recommendations

Recommendation 3

By 31 March 2023, the National Crime Agency should have a process for sharing relevant integrated protective security information with line managers to help manage and mitigate risk.

Recommendations

Recommendation 4

By 31 December 2022, the National Crime Agency should re-publish its policy to state that all voluntary work, business interests and political activity must be reported to, and approved by, the professional standards unit.

Recommendations

Recommendation 5

By 31 March 2023, the National Crime Agency should seek legal advice and, if lawful, change its policy to restrict political activity by its staff consistently across all grades and in line with policing.

Recommendations

Recommendation 6

By 31 December 2022, the National Crime Agency should publicise its potentially compromising individuals policy to all staff to make sure everybody understands their responsibilities for notifying line managers.

Recommendations

Recommendation 7

By 30 September 2023, the National Crime Agency should make sure that it has IT monitoring capability for all its systems, to effectively protect the information contained within its systems and help it to identify potentially corrupt officers and staff. In the meantime, by 31 December 2022, the National Crime Agency should have IT monitoring for its core systems.

Recommendations

Recommendation 8

By 31 March 2023, the National Crime Agency should make sure that it has an effective confidential reporting system that is accessible to all staff.

Recommendations

Recommendation 9

By 31 March 2023, the National Crime Agency should make sure that the option of integrity interventions is available to the anti-corruption unit to use as a tactic.

Recommendations

Recommendation 10

By 31 December 2022, the National Crime Agency should introduce a peer review process for misconduct panels and use the outcomes of these reviews as continual professional development for the panel chairs.

Recommendations

Recommendation 11

By 31 March 2023, the National Crime Agency should make sure that the professional standards unit is notified of grievance outcomes and all misconduct matters informally resolved by managers.

Recommendations

Recommendation 12

By 31 March 2023, the Home Office should work with the National Crime Agency and the College of Policing to amend the Police Barred List and Police Advisory List Regulations 2017 to include the National Crime Agency.

Recommendations

Recommendation 13

By 31 March 2023, the National Crime Agency should produce accurate data dashboards of the breakdown of its workforce by age, gender, ethnicity, role and location.

Recommendations

Recommendation 14

By 31 March 2023, the National Crime Agency should define standards of expected behaviour and include a definition of discreditable conduct and the obligation to report, challenge, and act against, improper behaviour.

Recommendations

Recommendation 15

By 31 March 2023, the National Crime Agency should produce a policy providing clear guidance on acceptable behaviour in the use of encrypted applications such as WhatsApp on mobile phones, for operational and non-operational purposes.

Recommendations

Recommendation 16

By 31 December 2022, the National Crime Agency should publish anonymised details of misconduct case findings.

Recommendations

Recommendation 17

By 30 June 2023, the training given to panel chairs should include the director general (or delegate) setting out their expectations of the misconduct process. This input must be provided retrospectively to those panel chairs who have already attended the training course.

Recommendations

Recommendation 18

By 30 September 2023, the National Crime Agency must provide training for all officers and staff, clearly setting out standards of behaviour expected from them. This should include:

  • guidance for leaders on their role in applying those standards;
  • the grievance procedure; and
  • the process for reporting misconduct or suspected corruption.

Recommendations

Recommendation 19

By 31 December 2022, the National Crime Agency should adopt our definition of prejudicial and improper behaviour or an alternative of its own.

Introduction

Our commission

His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) is an independent inspectorate. The Crime and Courts Act 2013 requires us to inspect the NCA. Following an inspection, we must report to the Home Secretary on the agency’s efficiency and effectiveness.

This is our 11th inspection of the NCA. It examines the organisation’s ability to protect its assets from corruption threats.

Terms of reference

This inspection was carried out in two parts, and we consulted the NCA’s director general when establishing our terms of reference, which were to consider how well the NCA tackles the threat of corruption it faces. We then considered how well it supports police forces and other law enforcement bodies to tackle the threats of corruption they face.

We sought to answer the question: how effective is the NCA at dealing with corruption?

In part one of this inspection, we examined how well the NCA:

  • vets its officers (including candidates wishing to become officers);
  • identifies and prevents potential corruption, and how well it investigates corruption among its officers; and
  • identifies and prevents improper behaviour by its officers, including gender-based prejudice (see Annex A for definition).

In part two of this inspection, we will examine how well the NCA:

  • helps police forces and other law enforcement bodies to identify corruption; and
  • works with them to tackle it.

Methodology

We visited NCA teams in London and Warrington. We spoke to officers at different grades and across many functions. We also interviewed representatives of various staff associations.

We went to NCA premises to view case material, examine data and observe the systems in operation. While there, we read briefings and examined the agency’s staff intranet. We reviewed 110 case files – 39 anti-corruption files, 69 misconduct files (of which 12 involved sexual misconduct) and 2 vetting withdrawal files.

We carried out pre-inspection planning from May 2022. Our fieldwork took place in July and August 2022.

We reviewed NCA documents and the Civil Service code before and during the fieldwork, including:

  • NCA Annual Plan 2022–23;
  • NCA policies and operating procedures;
  • NCA code;
  • NCA Inclusion Culture Strategy 2021 to 2025; and
  • NCA culture enquiry results – phases 1 and 2.

Finally, we interviewed the head of IPS and the head of personnel security.

About the National Crime Agency

The NCA is the UK-wide crime-fighting agency. It is responsible for leading, supporting and co-ordinating the response to serious and organised crime. This includes:

  • human trafficking;
  • weapons and drugs trafficking;
  • cybercrime and economic crime that crosses regional, national and international borders; and
  • child sexual abuse and exploitation.

The agency has two statutory functions: crime reduction (investigations) and intelligence. It also leads the national response to serious and organised crime. It has more than 5,500 officers. Of these, 150 work abroad across 53 countries.

The responsibility for vetting and anti-corruption sits within the IPS department. It brings together the functions of cyber, personnel and physical security. Within IPS, the PSU investigates NCA staff who are suspected of falling below the standards of behaviour expected of them.

Standards and values

The NCA is a civil service and a law enforcement agency. The Civil Service code and the NCA code, when read together, set out the standards of behaviour for NCA staff. These two documents focus on different aspects of behaviour but complement each other. The Civil Service code focuses on political objectivity and impartiality. The NCA code covers integrity, honesty and public service.

The way the NCA manages misconduct is set out in the National Crime Agency (Complaints and Misconduct) Regulations 2013. The three independent bodies that oversee police misconduct in England and Wales, Northern Ireland and Scotland have similar responsibilities for overseeing misconduct in the NCA.

Investigations are decided on the ‘balance of probabilities’ (whether an allegation is more likely to be true than not). Once an investigation is complete, the investigator sets out the case in an investigation report. A senior member of IPS then assesses if there is a ‘case to answer’. This judgment is made based on whether a disciplinary panel could find that misconduct or gross misconduct has taken place.

If there is a case to answer, a disciplinary panel is convened, chaired by a senior NCA staff member who hasn’t previously been involved in the investigation. They must decide if the misconduct has happened and what sanction is appropriate. If the matter is upheld, the NCA can impose the following sanctions:

The option to dismiss is only available in the most serious cases, deemed to be gross misconduct.

There is an appeal process for the accused member of staff, which is heard by a different senior member of the NCA. The decision to suspend a member of NCA staff during an investigation falls to the head of IPS.

Vetting and anti-corruption context

Recruitment and vetting are the first lines of defence for all law enforcement agencies, to protect national security and to prevent and detect potential corruption threats. As a civil service, the NCA is part of the national security vetting system, which is used across all government departments. The system is governed by the Cabinet Office guidance, HMG Personnel Security Controls. This states that: “The purpose of [vetting] is to confirm the identity of individuals … and provide a level of assurance as to their trustworthiness, integrity and reliability.”

This guidance describes three vetting levels: counter-terrorism check, security clearance (SC) and developed vetting (DV). DV is for people regularly accessing information that is top secret (according to the Government Security Classifications set out by the Cabinet Office). SC clearance is for people who have regular unsupervised access to secret material. The NCA chooses to vet all its permanent staff to either SC or DV level.

The recruitment checks are only accurate at the time they are completed. The continual assessment of someone’s vetting status requires regular review of available information. The NCA instils a security culture in its staff at the point of recruitment, requiring everyone to report security concerns. Policy makes it clear that individuals have a duty to report any changes in their personal circumstances so vetting teams can reassess their vetting status. The process also requires the workforce to be vigilant of each other and have the confidence and ability to report concerns about individuals. We found, however, that those who had been in the organisation longer had poor knowledge of their responsibilities to report changes in their circumstances.

The NCA produces the National Strategic Threat Assessment for corruption, which is used by police forces and other law enforcement partners as a basis for assessing the risk they face from corruption. The agency also produces a similar threat assessment for its internal use.

All law enforcement agencies must manage the threat of corruption. This is usually organised through a separate department, referred to as either a counter or anti-corruption unit. The NCA has an ACU which is responsible for identifying, preventing and investigating potential corruption. Corruption can take the form of sharing information, profiting from the activities of the agency, or the abuse of position for any purpose. This is particularly topical nationally following some high-profile cases involving police officers abusing their position for a sexual purpose.

Law enforcement agencies that are better at preventing corruption use software to look for possible misuse of their IT systems.

Findings: Vetting

This section covers:

  • vetting processes
  • security culture.

Vetting processes

We found that the NCA didn’t take unnecessary risks by compromising on the standard of vetting across the agency. It carries out regular reviews of those staff with the highest security vetting.

The creation of the IPS department has improved communication between vetting, the ACU and the PSU. The department structure is still in its infancy and the agency is aware of many aspects of IPS that still need improvement. It has plans and money allocated to achieve this.

The National Crime Agency has rigorous processes for vetting

We have recently criticised policing for failing to effectively mitigate the risks it takes with vetting decisions. The NCA doesn’t take risks with vetting processes and the staff in the team aren’t influenced by organisational pressures, such as the need to recruit in large numbers or find people with specific skills. The vetting team checks new recruits and people moving from within the agency to the approved standard before they take up their post. Existing vetting isn’t simply transferred. The minimum level of vetting for permanent staff is SC. The team conducts the checks required for SC and then additional ones, primarily using their own serious and organised crime data, to meet the agency’s own standard, referred to as SC enhanced.

The vetting level required for each post is defined by the NCA’s HR department. Any new posts where managers think the postholder needs to be DV cleared must be approved by HR.

We reviewed two cases where vetting had been withdrawn and the individual’s employment was terminated. These files demonstrated robust and fair processes. The employee had the opportunity to make their case during a ‘minded to withdraw’ vetting meeting. The decision-making was well documented and was compliant with the Cabinet Office vetting code.

The National Crime Agency has policies for staff to understand the role of the vetting department and the responsibilities of the individual

The NCA has a vetting booklet, which is provided to all new recruits. This explains the role of vetting in maintaining national security and the threat of infiltration by criminal groups. The policies make clear that it is an individual’s responsibility to report any changes in their personal circumstances.

Security culture

The NCA has created a culture of security and personal responsibility. We found that the officers we interviewed understood the importance of protecting information relating to all aspects of the NCA’s activities. The requirement to vet all staff and contractors entering its sites reinforces the importance of physical security.

We found that the security culture was strong in relation to physical security (premises) and cybersecurity (information). The security culture in relation to people and their behaviour was less clear. There was little evidence from our focus groups that staff knew they should report concerning behaviour or how they should do it.

There are different opinions among senior leaders about the level of threat the agency faces from infiltration. Assessments are clear that this threat is real and significant. These differences in opinion mustn’t be allowed to affect investment in these areas.

The integrated protective security structure has improved the connectivity between vetting, the anti-corruption unit and the professional standards unit

The creation of IPS has allowed for greater interaction between vetting, the ACU and the PSU. It is easier to share concerns and so more sharing is happening.

We found that the vetting unit had reported integrity concerns to the PSU following pre-employment clearance and security checks, and vetting interviews. This included failed drug tests and withholding information during vetting interviews. New recruits to the NCA must serve a six-month probationary period before their employment is confirmed. During this period the NCA can dispense with their services without going through a formal disciplinary process. In most cases, probationer performance panels are used effectively to terminate employment of probationers displaying concerning behaviours.

The National Crime Agency has good annual reviews for the highest level of vetted staff

The vetting team sends an annual review document to every member of staff with DV clearance and their line managers. Line managers then check with the individual whether their circumstances have changed and provide an assessment of their suitability to continue to hold DV vetting. This process reminds people of their obligation to update vetting when circumstances change, and it also gives line managers an opportunity to share any concerns about their staff.

This process doesn’t apply to staff with lower levels of vetting. We found that, despite the policies being available on the intranet, not everyone was familiar with the vetting policies and the requirement to notify changes of circumstances. The annual checks should be extended to all levels of vetting and become part of the regular conversations between line managers and staff.

Recommendations

Recommendation 1

By 31 March 2023, the National Crime Agency should include reminders of vetting and anti-corruption policies in the annual appraisal process of all staff.

The National Crime Agency needs to strengthen the link between vetting and HR processes

Personnel security relies on the availability and assessment of information relating to individual members of the workforce.

To be effective, different departments in an organisation must share the information they have about individuals that is relevant to personnel security. In the NCA, HR holds information relating to an individual’s performance and any grievance issues raised about them.

We were told of a people risk panel to discuss people of concern within the organisation. This involves all aspects of the information held by IPS and HR. We have previously commented favourably on similar processes in policing. These meetings make sure that people who could be a security risk are discussed using all available information and not in isolation.

However, these meetings haven’t actually happened in the NCA since the previous chair of the process left the organisation earlier in 2022. We recommend that the meetings are reinstated and held regularly.

Recommendations

Recommendation 2

By 31 December 2022, the National Crime Agency should review the people risk meetings between the integrated protective security department and HR to make sure all relevant information about individuals of concern is shared regularly.

In addition, the flow of information about individuals must include line managers. They are a valuable source of potentially relevant intelligence about their staff. Where there are concerns about individuals, line managers must be told enough information to make sure they are looking for, and reporting, concerning behaviours.

Recommendations

Recommendation 3

By 31 March 2023, the National Crime Agency should have a process for sharing relevant integrated protective security information with line managers to help manage and mitigate risk.

Findings: Anti-corruption

This section covers:

  • anti-corruption investigations
  • proactive anti-corruption activity
  • corruption intelligence.

Anti-corruption investigations

The anti-corruption unit conducts good investigations but sometimes their scope is too narrow

The ACU has the people, expertise and equipment to undertake complex anti-corruption investigations, using a range of covert tactics. We found that there were low levels of intelligence relating to NCA staff for the ACU to develop.

The ACU makes its resources available to carry out anti-corruption investigations on behalf of Border Force. This is because Border Force doesn’t have the capability to tackle the corruption threat at the border.

Of the 38 anti-corruption files we reviewed, all were recorded under the nationally approved categories. We found that basic checks to make sure people had legitimate reasons for accessing information were recorded as potential corruption until the ACU was satisfied otherwise. All cases had effective supervision.

The investigations undertaken by the ACU are of a high standard. Staff are trained by the College of Policing, have access to all covert tactics, and their assets are protected using discreet premises.

However, we found that some misconduct investigations, including sexual misconduct, were too narrow in scope. We found several cases where investigators failed to address wider issues of misconduct by either the subject of, or others connected to, an investigation. Instead, investigations were limited to the primary allegation. This does nothing to tackle the culture, particularly in cases of sexual misconduct, within teams where similar behaviour is prevalent. Given the availability of the ACU’s resources, this is something we found difficult to understand.

We found examples of investigations where previous opportunities to tackle improper behaviour had been missed by line managers. These weren’t, however, raised as potential performance or misconduct issues for those managers involved, nor was there evidence of organisational learning being generated.

The National Crime Agency has policies to prevent corruption

We looked at the NCA’s policies intended to help it tackle corruption. These are:

  • gifts and hospitality – covering the circumstances in which staff can accept or must reject offers of gifts and hospitality;
  • business interests and political activity – covering when the agency should allow or deny staff the opportunity to hold second jobs, and how it will manage the risks that arise when they are allowed to do so; and
  • potentially compromising individuals (notifiable associations) – covering how the agency should manage the risks associated with staff who may associate with, for example, private investigators, journalists or criminals, and require the disclosure by officers and staff of such associations.

Gifts and hospitality

The NCA’s policy in relation to gifts and hospitality is clear. It sets out what is covered by the policy and who should be notified by whom. We were pleased to find that it states that all gifts must be recorded, and that the PSU be notified so it can hold a central register for future reference. Although this provides clarity for staff, we found that people weren’t generally aware of the policy.

Business interests and political activity

The NCA policy sets out what business, voluntary and political activities officers and staff are allowed to partake in outside their work with the NCA. We found that the policy wasn’t consistent. Some activities ‘must’ be reported and others ‘should’ be reported to line managers. For example, although it stipulates that all business activity must be reported to a line manager, it isn’t clear what voluntary activity should be reported. To avoid doubt, we recommend that all business, voluntary and political activity must be reported to the PSU.

Recommendations

Recommendation 4

By 31 December 2022, the National Crime Agency should re-publish its policy to state that all voluntary work, business interests and political activity must be reported to, and approved by, the professional standards unit.

The policy allows for active participation in political activities. The level of activity depends on the grade of the staff member. Senior leaders can only take part in local politics (except board members, who can’t take an active role in any political activity) whereas lower grades can actively take part in national politics. An active role would include campaigning for a political party and running as a candidate in an election and wouldn’t exclude being a member of a political group or party.

While we accept that the NCA is part of the civil service and not a police force, we find that it is harder to maintain impartiality if staff are actively involved in politics (which serving police officers are prohibited from doing).

Recommendations

Recommendation 5

By 31 March 2023, the National Crime Agency should seek legal advice and, if lawful, change its policy to restrict political activity by its staff consistently across all grades and in line with policing.

Potentially compromising individuals

The NCA’s potentially compromising individuals policy is very similar to the notifiable associations policies used in policing.

The purpose of the policy is to make sure that any associations or chance meetings with individuals who could compromise the position of officers and staff are declared, recorded and, if necessary, risk assessed.

The list of those considered to be potentially compromising includes:

  • people with criminal records;
  • security consultants;
  • private investigators; and
  • journalists.

However, we found that staff, including those in IPS, had a poor understanding of the policy, or the risks posed by such associations.

Recommendations

Recommendation 6

By 31 December 2022, the National Crime Agency should publicise its potentially compromising individuals policy to all staff to make sure everybody understands their responsibilities for notifying line managers.

Proactive anti-corruption activity

The National Crime Agency doesn’t proactively monitor its IT systems

The NCA has limited ability to examine its IT systems for misuse. At a basic level, as part of an investigation, the agency can retrospectively examine its systems to establish who sent or received an email. The NCA’s examinations of email traffic using this capability are reactive and cumbersome. Significantly more effective and proactive monitoring solutions are available, but the agency hasn’t implemented them.

Lawful business monitoring (LBM) is a legitimate activity for forces to monitor their information systems and methods of communication. LBM is governed by the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record‑keeping Purposes) Regulations 2018, which authorise public authorities to monitor and record internal business communications.

The use of LBM helps make sure that access to police systems and use of communication devices is for a lawful policing purpose. By using LBM, forces seek to identify unlawful access to police records, wrongful disclosure of police data, computer misuse and inappropriate use of communication devices.

The use of IT monitoring is covered by LBM legislation. It can be used to automate proactive checks on access to all of a force’s IT systems and communication devices. Automated IT monitoring is an effective tool for identifying corrupt individuals – for example, those passing information to organised crime groups. Although we haven’t previously recommended the NCA uses IT monitoring, we have consistently recommended that policing use the tactic to seek out corruption. This technology has been available for many years, but the NCA doesn’t yet have it.

With the creation of IPS, the agency has shown that it understands the importance of tackling the threat of corruption. The agency, led by IPS, has procured software to allow proactive monitoring of all its systems. There is a plan for the introduction of the system, with enough staff trained to use it effectively. By 2023, it is expected that the software will be implemented across all systems, with core systems receiving it later this year, though timescales aren’t formalised.

Recommendations

Recommendation 7

By 30 September 2023, the National Crime Agency should make sure that it has IT monitoring capability for all its systems, to effectively protect the information contained within its systems and help it to identify potentially corrupt officers and staff. In the meantime, by 31 December 2022, the National Crime Agency should have IT monitoring for its core systems.

Corruption intelligence

There is no way to report corruption issues anonymously

The NCA doesn’t have an effective confidential reporting system. There is a phone number and an email address, both managed by the PSU, but neither protect the anonymity of the reporting person. This leaves handwritten letters as the only viable option for staff wishing to protect their identity. We found examples of staff creating new email accounts to try to remain anonymous. Unsurprisingly, there was a lack of confidence in the agency’s ability to protect the identity of those reporting misconduct or corruption.

We found very low levels of reporting by NCA officers raising concerns about internal threats. There have been seven reports in the last two years, of which three were audit checks and not examples of corruption intelligence. This shows the lack of confidence NCA staff have in the reporting process.

An additional hurdle for staff is the difficulty in locating advice and the means to report inappropriate behaviour. The NCA has a policy, Professional Standards Reporting, for reporting ‘alleged misdemeanours’ by colleagues. The agency has deliberately not used the term whistle-blower as it believes this has negative connotations and would put people off reporting. It is our view that the avoidance of terminology widely used in society makes it more difficult for employees to find policies and report poor or criminal behaviour.

Our file reviews revealed a single case from information reported as a protected disclosure under the Public Interest Disclosure Act 1998. This is being managed well; effective support has been put in place for the reporting person and the investigation is being discreetly managed through the ACU, assisting an Independent Office for Police Conduct investigation. There is appropriate senior oversight in this case.

The NCA has purchased a reporting application for smart phones. This will provide proper anonymity and will be available to all staff to report concerns about colleagues. There is no timeline approved for this project yet, so we can’t assess its value.

Recommendations

Recommendation 8

By 31 March 2023, the National Crime Agency should make sure that it has an effective confidential reporting system that is accessible to all staff.

The development of corruption intelligence is limited

The agency has limited resources for proactively collecting and developing corruption intelligence. We found that those resources weren’t used efficiently. The intelligence staff within IPS mostly act as a conduit for receiving intelligence about corruption in another organisation, often police forces, and passing it on. They don’t usually develop this intelligence further and this is predominantly an administrative function.

The methodology used by IPS for prioritising activity is simplistic. Work is not prioritised well according to risk. As a result, information relating to the legitimate use of systems is treated the same as intelligence about possible corruption. The ACU is thorough and pursues all corruption intelligence as far as it can, sometimes wasting time on leads that a risk-based process would filter out. Adopting such a process would free capacity for more proactive investigations.

We found that the development of corruption intelligence was often limited to the information contained in the initial report. As a result, little research was carried out on others who could possibly be involved.

The NCA doesn’t use integrity interventions to mitigate corruption threats. These are interventions where, if it isn’t possible to identify an individual from the intelligence, a team or a department can be advised of the potential threat. This increases vigilance in the team, alerts the criminals to the possibility they have been discovered and makes infiltration more difficult. We found two cases where intelligence regarding corrupt associations with criminals was narrowed down to a small group of officers, who could have been advised without compromising the intelligence, but integrity interventions weren’t used. This option should be considered in future.

Recommendations

Recommendation 9

By 31 March 2023, the National Crime Agency should make sure that the option of integrity interventions is available to the anti-corruption unit to use as a tactic.

Misconduct investigations

The outcomes of misconduct investigations are inconsistent

Investigations into misconduct are conducted to a good standard and the PSU makes a strong case when it believes there is a case to answer. In these cases, a misconduct panel is convened, chaired by a senior NCA officer (deputy director or above). Misconduct panel chairs receive two days’ training on their responsibilities. This mainly covers the legislative aspects of the process.

We found significant differences in outcomes between similar cases within the NCA. Cases of proven sexual misconduct generally led to the termination of employment, but not always. We found examples of first written warnings being given for predatory sexual behaviour. We don’t support the rationale for this leniency.

Inconsistency creates uncertainty among the workforce as to what behaviours are, and aren’t, acceptable. We found that most groups we interviewed felt that the inconsistency in outcomes for proven misconduct cases meant they would be reluctant to report improper behaviour at all (see chapter: Prejudicial and improper behaviour, below).

We found that senior staff under investigation for misconduct were treated differently to those of lower grades. Junior officers will usually be suspended immediately if suspected of sexual misconduct. But we found examples of officers more senior than their victims, with multiple allegations against them, being moved to other departments. More recently, this has been supported by a risk assessment and regular reviews by IPS management. This might, in part, explain the results of the staff and culture surveys and our interviews, all of which reveal a lack of confidence in reporting issues to senior managers.

In relation to the Border Force investigations conducted by the NCA, our file reviews found effective intelligence collection, development and use of ACU covert assets to tackle the corruption threat. The subsequent outcomes by Border Force are significantly more robust than those of the NCA. We found people were removed from employment at an early stage if it was apparent that they had been dishonest.

Recommendations

Recommendation 10

By 31 December 2022, the National Crime Agency should introduce a peer review process for misconduct panels and use the outcomes of these reviews as continual professional development for the panel chairs.

There is no central record of informal resolution for misconduct

The formal disciplinary process includes the option for the PSU to recommend a performance outcome such as learning for the individual or for the organisation. All managers have the option of dealing locally with poor behaviour that doesn’t meet the PSU threshold for misconduct. There are situations where local resolution is the right outcome for the individual and for the person reporting the behaviour.

The NCA doesn’t have a central repository for recording informal resolutions – this is the responsibility of individual managers. Record keeping is inconsistent and, if made at all, records are kept by the line manager. This lack of corporate memory could mean that patterns of bad behaviour are missed when staff move between teams.

Our focus groups told us that informal resolutions are often used to deal with gender‑based prejudicial and improper behaviour. Without a centrally held record of these cases, the true extent of prejudicial and improper behaviour can’t be known. We also found occasions where senior managers asked the victims what they should do to resolve the matter, rather than taking responsibility for the standards expected and dealing with it accordingly.

Recommendations

Recommendation 11

By 31 March 2023, the National Crime Agency should make sure that the professional standards unit is notified of grievance outcomes and all misconduct matters informally resolved by managers.

National Crime Agency staff who are dismissed for misconduct or leave before the case is concluded aren’t prevented from working elsewhere in law enforcement

Former NCA staff aren’t included in the College of Policing’s barred list, nor is there a Home Office alternative. The barred list is a published list of people who have been dismissed from policing through the Police (Conduct) Regulations 2012.

Our file reviews revealed staff moving to other government departments and joining the police while under investigation or after a misconduct finding by the NCA.

The inclusion of former NCA staff on the College of Policing’s barred list will require changes to legislation and policy. The extra work required to make these changes shouldn’t be a barrier to protecting law enforcement from additional risks around those whose behaviour falls below the standards required.

If this is achieved, it is important that the NCA investigates any misconduct before dismissal by a probationer panel, as otherwise, the individual won’t appear on the barred list.

Recommendations

Recommendation 12

By 31 March 2023, the Home Office should work with the National Crime Agency and the College of Policing to amend the Police Barred List and Police Advisory List Regulations 2017 to include the National Crime Agency.

Findings: Prejudicial and improper behaviour

This section covers:

  • strategy and activity to tackle prejudice;
  • organisational culture; and
  • leadership.

Strategy and activity to tackle prejudice

Women and ethnic minorities are underrepresented in senior and operational roles and overrepresented in lower-grade roles

The NCA states on its website: “Our diversity is one of our greatest strengths.” According to the Inclusion Culture Strategy, there is a commitment to create a diverse workforce and an inclusive culture to make people “feel safe, happy and able to contribute at work”. We found that senior leaders understood the value of having a diverse workforce and were committed to creating it.

In 2021, Black and Asian people and those from ethnic minority backgrounds accounted for 12.2 percent of NCA staff, close to the national working age population proportions. Women made up 43.2 percent of the workforce, which is below the figure for the working population.

Since 2014, when the NCA was created, representation of both groups has steadily increased. However, there remains a disproportionate representation of both women and those from ethnic minority backgrounds in the most junior grades. Approximately 60 percent of Grade 6 officers (the most junior grade in the NCA) are women and 23 percent are from ethnic minority backgrounds. Representation of either group in operational teams is almost zero.

We were told that the recruitment processes discriminate against women, disabled staff and carers. Adverts will often specify locations for jobs and fixed hours when they could be more flexible.

Even those adverts that are advertised as being flexible display unconscious bias. Statements such as “London preferred” or “full-time preferred” will make potential applicants believe that part-time workers and those in other locations will be excluded. This will deter people with caring responsibilities or who are restricted by a medical condition or disability. Women are more likely to have to consider caring responsibilities than men.

We were told by staff that flexible working is seen as a weakness, an inconvenience to management and a barrier to being treated equally in operational roles. There are very few senior female leaders with flexible working patterns compared to those in the lowest grades.

The National Crime Agency has an inclusion strategy and policies that allow it to tackle prejudicial and improper behaviour

The Inclusion Culture Strategy sets out how the agency will improve diversity throughout the organisation. There are four goals:

  • attract all;
  • break barriers;
  • community commitment; and
  • driving an inclusive culture.

This plan is at an early stage, and we can’t judge the success of the agency in achieving the four goals. Many of the action plans within these goals are to understand the current position, demonstrating the infancy of this work. There are no specific targets for gender or ethnicity representation in the strategy or the action plans.

We found that the understanding of the workforce in detail at team and department level was generally poor. This was attributed to poor access to comprehensive HR data to understand the diversity of teams and roles.

Recommendations

Recommendation 13

By 31 March 2023, the National Crime Agency should produce accurate data dashboards of the breakdown of its workforce by age, gender, ethnicity, role and location.

The NCA has policies that allow it to tackle prejudicial and improper behaviour. The NCA code of ethics and the misconduct regulations refer to honesty, integrity, treating people with respect and valuing diversity. The Civil Service code focuses mainly on the role of the civil service in relation to parliamentary politics. Neither of these documents describes standards of acceptable behaviour.

Police (Conduct) Regulations 2020 now include a Schedule for standards of professional behaviour. This defines ‘discreditable conduct’ and places a legal obligation on all police officers to report improper conduct by colleagues.

Recommendations

Recommendation 14

By 31 March 2023, the National Crime Agency should define standards of expected behaviour and include a definition of discreditable conduct and the obligation to report, challenge, and act against, improper behaviour.

There are good staff associations representing and supporting members of minority groups. Of note, we spoke to representatives of the gender equality group; the sexual harassment group; EMBRACE, representing the LGBTQ+ community; and various unions. All have good knowledge of the organisation and the issues their members face at work.

The agency has introduced workplace support officers to provide “independent and impartial support” for people concerned about prejudicial behaviour in the workplace. We found that there was little knowledge of workplace support officers among the workforce.

The agency demonstrated to us that it wants to understand the issues of gender-based and other prejudicial and improper behaviour and to improve the opportunities for women and other underrepresented groups.

One initiative, RAISE (respect, allyship, inclusion, safe spaces and education), aims to tackle prejudicial behaviour. The first stage is to encourage people to examine their own views and the impact their behaviour has on others. Every member of staff must have an objective in their annual appraisal for this year that relates to diversity. This isn’t going to change behaviour on its own, but it is a good way to start the conversation about prejudice and poor behaviour.

The RAISE programme is in its infancy, so there is no evaluation of its impact at this stage.

Racism and homophobia are understood and not tolerated but gender-based discrimination is present

We were told that the organisation acted decisively following the murder of George Floyd by police officers in the US, setting out standards of behaviour and expectations. There were also discussion forums and messages about the Black Lives Matter movement. The focus groups told us they hadn’t witnessed racist or homophobic abuse and that, if it happened, they were confident that it would be dealt with robustly.

However, we found that casual sexism was still tolerated. We found examples of women still being given certain roles during operational activity because of their gender. Women are still subject to sexist comments in the office and on informal WhatsApp groups. These groups include people in leadership roles. Worryingly, these individuals aren’t only failing to challenge poor behaviour; in some cases they join in with it.

There is no explicit policy for the acceptable use of encrypted applications such as WhatsApp. This application is available and used on agency devices and yet there is no guidance about its use. The social media policy and the training given to new recruits as part of their induction focus on the personal security aspects of social media and unacceptable behaviour when using it.

Recommendations

Recommendation 15

By 31 March 2023, the National Crime Agency should produce a policy providing clear guidance on acceptable behaviour in the use of encrypted applications such as WhatsApp on mobile phones, for operational and non-operational purposes.

There were examples of progress in making equipment that is designed for women available, such as stab vests. This should be a consideration across all the agency’s roles and not only happen after people complain. These are organisational signals that women and men aren’t considered equally.

We were told that the initial leadership input following the murder of Sarah Everard by serving police officer Wayne Couzens was focused on violence by men. The issue of prejudicial and improper behaviour in that case wasn’t initially highlighted. Subsequent agency-wide communications from senior leaders have, however, discussed gender-based harassment, notably on the anniversary of Sarah Everard’s death.

We did find some excellent local management inputs and discussion groups on this subject, but they were driven by individual leaders and not by the organisation.

Organisational culture

Most people are professional and don’t display prejudicial behaviour

Our focus groups showed that the culture is generally positive and inclusive. This was the case in the two HQ sites we visited in London and Warrington, where there are a variety of teams and functions. The NCA is an amalgam of many historic agencies, all with their own cultures and practices. The NCA has made efforts to bring these organisations into a single agency with one positive culture.

Allyship is a key tool for senior leaders to improve the culture. We were told that this will be rolled out across the agency but to date, only senior leaders have received the input. The idea is that everyone becomes an ally to those who are underrepresented and speaks out against prejudice. This is part of the RAISE programme referred to above, and at the time of our inspection, couldn’t be evaluated.

There is a lack of trust and confidence in the organisation to deal with bad behaviour

There are pockets of bad behaviour across the organisation that are known to leaders and staff but haven’t been tackled. The teams and units where this poor behaviour occurs have been revealed in previous misconduct investigations, referred to in the culture and staff surveys, and are widely discussed among staff. We were repeatedly told about “toxic male cultures”. We found they were tolerated by women in the organisation because women are outnumbered and fear the stigma and repercussions of speaking out. We only found these negative cultures in operational teams.

One experienced investigator who had joined the agency in the last few years told us that they felt “it was like stepping back in time to an old-fashioned [police] CID office” when they joined the team.

We were told by women that they had changed their career plans to avoid the male cultures in operational jobs. They shared their experiences of sexism in operational roles. Notwithstanding individual experiences of sexualised comments and unwarranted approaches from men, there are some organisational behaviours and signals that discriminate against women.

As mentioned above, the leniency shown to senior men in sexual misconduct cases, both in outcomes and decisions to suspend, negatively affect the confidence people have in reporting prejudicial behaviour.

We were told of one location that was described as having an “old boys’ network” that included the leadership team. This network was felt to be so strong that, if one of “their boys” was accused of improper behaviour, it would be “brushed under the carpet”.

The staff survey showed that women didn’t feel they would be protected if they reported prejudicial or improper behaviour, and 34 percent of victims felt they had been punished for reporting. We found examples of men receiving written warnings for findings of misconduct and then returning to the team they left.

Across the workforce, there was a lack of understanding about the grievance procedure and what incidents could be dealt with using this route. The agency has been piloting a plan to improve the procedure. With the introduction of the grievance gateway panel, there is greater transparency and peer review of grievance decisions. At the time of our inspection, this was due to be evaluated before being rolled out. It is hoped that it will help to improve confidence in this method of resolving less serious behavioural issues and increase reporting.

Misconduct outcomes aren’t often published

A good way for organisations to set out their standards and expectations is to publicise when they have successfully removed someone from the organisation for misconduct. In our inspections of police forces, we view this practice positively.

Although the agency publishes misconduct statistics and occasionally heavily redacted case summaries, it doesn’t routinely publish misconduct or probationer panel outcomes to its staff. Those that we spoke with told us that this would help to improve confidence in the organisation. The decision not to routinely publish comes from internal legal advice and concerns over possible breaches of employment law. It is intended that by 2025, outcomes of grievances and misconduct will be published, a target set out in the Inclusion Culture Strategy. We recommend this is started immediately.

Recommendations

Recommendation 16

By 31 December 2022, the National Crime Agency should publish anonymised details of misconduct case findings.

Leadership

The ability to tackle inappropriate behaviour isn’t helped by confused messaging and poor leadership from senior leaders

We found that the work of individual leaders to set standards and manage poor behaviour was hindered by a lack of clear direction from the most senior leaders. There are many sets of values, badged as codes of ethics, regulations, values or simply leadership mantras. They are broadly similar, but the differences between them mean there is confusion within the workforce and a lack of clear direction.

We found that there was a difference of opinion among the senior leaders as to what acceptable standards of behaviour are. Some believe that the agency is too lenient in disciplining poor behaviour, while others feel it is too harsh. Some people we interviewed attributed this to the different routes they had taken into the organisation. Those with a civil service background were considered more lenient than those from law enforcement. Diversity of decision-making is important in senior leadership teams, but there must be a single standard for behaviour, which must be demonstrated in an individual leader’s behaviour and in the decisions they make in misconduct cases.

The panel chairs for misconduct now receive good training for the role, but no one had been told of the expectations of the senior team. The independence of panels can be maintained even if expectations about behaviours are set out.

Recommendations

Recommendation 17

By 30 June 2023, the training given to panel chairs should include the director general (or delegate) setting out their expectations of the misconduct process. This input must be provided retrospectively to those panel chairs who have already attended the training course.

Local responsibility for culture

In light of staff surveys, the agency has required each of its commands to produce a culture plan to improve standards of behaviour.

Local leaders are responsible for creating a culture where it is safe to report concerns. The strategy to delegate cultural improvement to local leaders means that there is no overall direction set by the agency.

These plans are still very new, and although they are collated by HR, we didn’t find any clear agency-wide plan to monitor progress or to evaluate them.

The plans we saw consisted of standard messages about behaviour and general departmental and individual responsibilities. We didn’t see any targeted plans to tackle a prevailing negative culture, nor to seek out possible areas where the culture needs to improve.

There is no mandatory leadership training for new leaders

We found that none of those in leadership roles that we spoke with had been given any training or guidance setting out exactly how they should manage the behaviour of their teams and the standards that are expected.

New recruits all now receive training on professional standards and NCA values. We were told that a large number of people in the organisation, recruited during the pandemic or transferred from other agencies, haven’t had any training about expected standards of behaviour. We heard examples of new and temporarily promoted staff being given copies of the various policies and being told to read them with no follow‑up or discussion.

Recommendations

Recommendation 18

By 30 September 2023, the National Crime Agency must provide training for all officers and staff, clearly setting out standards of behaviour expected from them. This should include:

  • guidance for leaders on their role in applying those standards;
  • the grievance procedure; and
  • the process for reporting misconduct or suspected corruption.

Conclusion

The NCA understands the importance of personnel security and has changed its structure to better meet the threat of infiltration or external penetration. It has plans and funding approved to improve its proactive investigation of corruption threats.

We were particularly encouraged by the work of the IPS department. There is a strong sense of purpose in the team and a commitment to tackle corruption and improper behaviour. We felt the frustration caused by the inconsistency of outcomes in misconduct panels and with some of the local decisions to deal with poor behaviour.

Those examples of prejudicial and improper behaviour that we found in some units and teams are concerning. In many of the recent high-profile cases involving police officers, there has been an underlying tolerance of unacceptable behaviour, often badged as ‘just banter’. The agency must make sure that behaviours like these aren’t tolerated in its own ranks.

Senior leaders must set consistent standards both in the agency’s policies and strategies but also in their decisions and the signals they send to the agency’s officers and staff.

The NCA has increased the diversity of its workforce and has committed to increasing it further. It understands the importance of diversity in decision-making and a positive culture. There need to be clear and ambitious targets to make each grade and role representative and eliminate places where women and people from minority backgrounds don’t feel comfortable working.

This inspection has taken place following recent changes to structures (IPS) and to strategies (Culture Inclusion Strategy). We haven’t been able to assess the impact of these changes in tackling some of the issues we highlight relating to culture and diversity. We will need to revisit this area again to see the impact of these changes.

We make 19 recommendations.

Annex A: Prejudicial and improper behaviour

In 2021, the Home Secretary asked us to examine police forces’ ability to detect and deal with “misogynistic and predatory behaviour”.

We published the findings of this inspection in our report.

To classify more precisely the types of behaviour in question, we had to define what they were. We found no nationally agreed definition we could use. To give clarity to forces (mainly about the information we asked them to provide), to the police officers and staff who assisted us during this work and to our own inspectors, we defined ‘prejudicial and improper behaviour’ as:

“Any attitude and/or behaviour demonstrated by a police officer or police staff that could be reasonably considered to reveal misogyny, sexism, antipathy towards women or be an indication of, or precursor to, abuse of position for a sexual purpose.

It may include, but is not limited to: inappropriate, crude or offensive comments; telling sexualised jokes; asking intrusive questions about someone’s private life; inappropriate touching; abusive, manipulative, coercive, controlling or predatory behaviour; bullying and harassment; and any other type of behaviour that may give cause for concern over whether a person is fit to serve as a police officer or as police staff.”

We applied that definition in our inspection of the NCA.

In our thematic report, we recommended that the National Police Chiefs’ Council and the College of Policing should adopt our definition of prejudicial and improper behaviour.

We make the same recommendation to the NCA.

Recommendations

Recommendation 19

By 31 December 2022, the National Crime Agency should adopt our definition of prejudicial and improper behaviour or an alternative of its own.

Back to publication

Vetting and anti-corruption part 1: How effective is the National Crime Agency at dealing with corruption?