A recent conviction at Edinburgh Sheriff Court has provided a clear and detailed example of how bribery offences arise in practice, and how courts assess both individual culpability and organisational controls. The conviction of Stuart Holloway, a former relationship manager at the Royal Bank of Scotland, offers important lessons for compliance teams, particularly in relation to gifts and hospitality controls, monitoring, and the broader risk landscape in Scotland where firms cannot rely on Deferred Prosecution Agreements.
The abuse of position in this case
Holloway was employed within RBS’s Global Restructuring Group (GRG), a division responsible for managing financially distressed business clients. Between 2012 and 2013, he exploited that position by soliciting and accepting personal payments from clients in return for favourable treatment within the bank.
Holloway repeatedly requested payments from clients whose businesses were under financial pressure, implying that such payments would influence decisions on debt restructuring, personal guarantees, and access to improved banking terms. In total, he received approximately £274,000 across two client relationships. The court found that the behaviour was persistent and calculated, involving multiple requests over an extended period. Clients were induced to sell assets, remortgage properties, and transfer funds to Holloway and accounts linked to his family.
Holloway ultimately pleaded guilty to offences under section 2 of the Bribery Act 2010, specifically requesting and accepting a financial advantage as an improper performance of his role. The GRG unit dealt with businesses in financial distress, often with significant debts and limited options. The court recognised that Holloway targeted individuals who were both financially vulnerable and reliant on his decisions.
The role of policies and the failure of oversight
In sentencing remarks, Sheriff Walls emphasised the broader impact on trust in financial institutions, particularly in the aftermath of the financial crisis when confidence was already fragile. The Sheriff made explicit reference to anti-bribery and corruption (ABC) controls, particularly around gifts and hospitality.
The court acknowledged that RBS had policies in place designed to prevent inappropriate advantages, including limits on gifts and hospitality that could be perceived as influencing business decisions. However, there was limited evidence before the court on how those policies were implemented, monitored, or enforced in practice.
As has been repeatedly found in similar cases, the mere existence of a policy is not sufficient. Courts expect organisations to demonstrate that controls are operational, embedded, and actively supervised. In this case, Holloway was able to repeatedly solicit and receive significant payments without detection or escalation. The failure reflects weaknesses in monitoring, reporting, and internal challenge mechanisms. The absence of effective oversight allowed improper relationships to develop over time, despite the presence of formal policies.
Gifts, hospitality and improper advantage
The case reinforces a central principle of the Bribery Act: the line between legitimate business conduct and bribery is determined by intent and context.
Payments framed as personal assistance, informal arrangements, or indirect transfers to family members can still constitute bribes where they are linked to the improper performance of a function. Holloway’s conduct illustrates how easily gifts and hospitality frameworks can be bypassed if controls are not rigorously enforced.
For compliance teams, this underlines the need for clear approval processes, transparency over personal relationships, and continuous monitoring of high-risk roles, particularly those involving discretion over client outcomes.
The Scottish enforcement landscape and absence of DPAs
The case also sits within a distinct enforcement framework in Scotland, which differs in important respects from England and Wales.
Unlike the regime overseen by the Serious Fraud Office, there is no Deferred Prosecution Agreement (DPA) mechanism available under Scots law. Companies cannot rely on a court-approved settlement process that allows them to avoid conviction in exchange for cooperation and remediation.
Instead, enforcement is led by the Crown Office and Procurator Fiscal Service, which operates a civil recovery and self-reporting model. While civil settlement may be available in some circumstances, it is discretionary and depends on early disclosure, thorough internal investigation, and demonstrable remediation.
This creates a different risk profile for organisations operating in Scotland. Where misconduct is not identified and addressed promptly, the pathway is more likely to lead to prosecution rather than negotiated resolution. Since September 2025, the Procurator Fiscal’s policy of self disclosure covers the full suite of corporate failure to prevent offences: bribery, facilitation of tax evasion, and fraud, as well as offences committed by senior managers that can be attributed to the business.
Nevertheless, the absence of a DPA-style safety net increases the importance of having robust, well-evidenced compliance procedures in place. If bribery does happen, as in this case, the business could face more of a risk in Scotland than in England.
Key features of the Scottish disclosure regime
Eligibility: Companies, LLPs, and partnerships may self-report.
Submission: Reports must be made via a solicitor to COPFS’s Serious Organised Crime Unit (SOCU).
Investigation Standard: Businesses must carry out thorough internal investigations, typically with forensic accountants, and disclose the full extent of wrongdoing.
Remediation: Organisations must show remedial steps and strengthened compliance controls.
Evaluation: COPFS assesses seriousness, harm, culpability, remedial action, and public interest.
Settlement: If accepted, cases go to CRU for civil recovery under Proceeds of Crime Act 2002 (POCA) principles.
Implications for compliance frameworks in Scottish companies
First, high-risk roles require enhanced scrutiny. Relationship managers with significant discretion over client outcomes present inherent corruption risks, particularly where clients are under financial pressure.
Second, policies must be demonstrably effective. It is not enough to define acceptable and problematic conduct. Organisations must monitor transactions, enforce declarations, and test whether controls are working in practice.
Third, culture and escalation pathways matter. Employees must feel able, and required, to report concerns. Early warning signs such as unusual client payments, undisclosed relationships, or repeated boundary crossing need to trigger intervention.
Finally, organisations in Scotland must factor enforcement realities into their risk assessments. Without access to DPAs, the consequences of failure are more immediate and less negotiable.
