The Economic Crime and Corporate Transparency Act (the Act) received Royal Assent on 26 October 2023.
The Act is substantial, running to 376 pages, and introduces a broad range of reforms. Amongst significant changes to Companies House (a summary of which can be found here), the extension of existing seizure, confiscation, and civil recovery regimes to cryptoassets, and new exemptions under the Proceeds of Crime Act 2002 for businesses operating in the AML "regulated sector" looking to exit customer relationships, are two provisions designed to facilitate corporate prosecutions for certain types of economic crime:
- A new "failure to prevent" fraud offence; and
- Reform of the "identification doctrine" for corporate criminal liability.
We anticipate that these new provisions will have a profound effect on how companies and partnerships approach fraud and other economic crime prevention within their businesses.
Failure to prevent fraud
Several years in the making, the new failure to prevent fraud offence roughly follows the templates employed in the failure prevent bribery and tax evasion facilitation offences, respectively introduced by the Bribery Act 2010 and Criminal Finances Act 2017, with a few key differences.
Who does the offence apply to?
The offence applies to "large" companies and partnerships ("Organisations") across all sectors, which meet two of the three following criteria in the financial year preceding the year of the offence: (i) more than 250 employees, (ii) more than £36 million annual turnover, and/or (iii) more than £18 million in total assets.
If a parent company and its subsidiaries cumulatively satisfy two of the three criteria (more than 250 employees, more than £36 million net turnover (£43.2 million gross), and more than £18 million net aggregate balance sheet (£21.6 million gross)) the parent entity will also be deemed within scope of the new offence.
How does the new offence work?
An Organisation will be automatically liable if any "associate" commits a relevant fraud offence intending to benefit (whether directly or indirectly) (a) the Organisation, or (b) any person to whom (or to whose subsidiary) the associate provides services on behalf of the Organisation. This is the case even if the Organisation did not know the fraud was occurring.
An "associate" is defined as an employee, agent, subsidiary, or other parties performing services for or on behalf of the Organisation.
An Organisation will, however, have a defence if it can demonstrate (on the balance of probabilities) that when the fraud took place it had in place reasonable prevention procedures, or it was not reasonable in all the circumstances to expect the Organisation to have had such procedures in place.
An Organisation will also not be deemed guilty of a failure to prevent fraud if it was itself a victim, or was intended to be a victim, of the fraud.
The types of fraud to which the offence applies are broad and include (a) fraud by false representation, failing to disclose information, or abuse of position, (b) false accounting, (c) false statements by company directors, (d) fraudulent trading, and (e) cheating the public revenue.
Does the offence have extra-territorial effect?
The offence is wide-reaching with foreign companies potentially within scope. If, for example, an employee commits fraud under UK law or the effect of the fraud is felt within the UK (e.g., through targeting UK victims) with the requisite intention of benefitting their employer, the employer may be prosecuted for a failure to prevent the fraud even if it is based overseas.
This is an important departure from the model under the Bribery Act 2010 and Criminal Finances Act 2017, both of which require that the foreign entity carries on a business or part of a business within the UK for jurisdiction to be established.
What about director / officer liability?
Numerous corporate criminal offences impose officer liability on those who consent to and/or connive in offences or to whose negligence the offence is attributable. The Act does not, however, propose any expansion of individual criminal liability.
What should Organisations be doing now?
Although the offence is not yet in force, as we await Government guidance on how it will work (including how "reasonable procedures" are to be interpreted), Organisations will doubtless require time to ready themselves. We recommend that Organisations take steps now to re-assess fraud risks within their businesses, ensuring that appropriate risk-based fraud detection, prevention, escalation polices, and other relevant procedures are fit for purpose.
Commentary
The new failure to prevent fraud offence raises a few key points:
- First, the restriction of the failure to prevent fraud offence to larger entities is a controversial move. Although the Government has defended its approach by emphasising that the cost of compliance for micro, small and medium-sized enterprises (SME) would be too burdensome, critics within and outside Parliament have argued that the cost should not be too burdensome as anti-fraud controls should be commensurate with the size and complexity of the business (the smaller and simpler the business, the smaller and simpler the compliance programme). Costs can also be mitigated by exploring synergies with existing bribery, tax evasion facilitation, and other economic crime risk controls. Fraud does not exist in a vacuum and there is potentially significant overlap between economic crime policies and procedures (including risk assessments, counterparty due diligence, transaction monitoring, and training).
- Second, by taking SMEs outside of the offence the Government has also ironically denied such businesses the ability to claim the "reasonable procedures" defence. The introduction of the "failure to prevent" model was principally to facilitate prosecutions against larger organisations where the authorities would otherwise have had to satisfy the high evidential bar of the identification doctrine (requiring guilt of the company's "directing mind and will" – see below). However, prosecutors have historically found it easier to prosecute SMEs under this principle because of simpler management and decision-making structures. There is no preventive procedures-related defence under the identification doctrine, meaning that SMEs remain at risk of prosecution for fraud but without the benefit now afforded to larger entities.
- Third, despite the foregoing it is notable that the Government's Impact Assessment for the new fraud offence acknowledges that "additional court cases are expected to be low". The Government therefore does not anticipate the floodgates to open to criminal litigation even for in-scope Organisations. Time will tell.
- Fourth, the explanation for the low number of court cases may be tucked away in one of the "miscellaneous" provisions (section 206(3)), which confirms that failure to prevent fraud will be added to the list of offences that may be resolved by way of a deferred prosecution agreement (DPA). If the failure to prevent bribery regime is anything to go by, with numerous significant cases disposed of through a DPA (e.g., Rolls-Royce, Airbus, and Standard Bank), these court-sanctioned agreements may well become the weapon of choice against Organisations that fail to prevent fraud. Indeed, given the prevalence of fraud in comparison with bribery, and the breadth of potential offences captured by the new offence, there is certainly scope for a significant uptick in DPA activity.
- Fifth, the new offence will undoubtedly have a profound effect on how Organisations approach fraud prevention within their business. The Government's Impact Assessment (linked above) confirms that the offence's strategic objective is to build anti-fraud culture within Organisations. The analogous failure to prevent bribery and (perhaps to a lesser extent) tax evasion facilitation offences have shaped many corporate compliance cultures since their introduction. The Government clearly expects the same in the fraud arena.
Identification doctrine
Summary
Hand-in-hand with the failure to prevent fraud offence, the Act also introduces a very significant change to the "identification doctrine" for corporate criminal liability.
For offences requiring a particular mental state (e.g., intent, recklessness, or dishonesty) prosecutors have historically been required to demonstrate the guilt of a company's "directing mind and will" before the company itself could be held liable.
Down the years the principle (a product of case law rather than statute) has created knotty evidential issues for prosecutors tasked with finding guilty individuals who had sufficient seniority and autonomy that they acted not merely on behalf of the company but as the company (and thereby constituted the company's directing mind and will). Previous SFO Directors David Green and Lisa Osofksy have expressed concerns that the evidential bar has been set too high, particularly in cases involving large and complex organisations with multiple management layers and delegated decision-making.
The Act brings the doctrine onto a statutory footing and makes some key modifications in the context of economic crimes which are listed in Schedule 12 of the Act (including money laundering offences under POCA, regulated activity-related offences under the Financial Services and Markets Act 2000, as well as tax and theft offences including cheating the public revenue and false accounting). Importantly, these also include attempts and conspiracy to commit listed offences as well as encouraging, aiding, abetting, counselling, and procuring the commission of listed offences.
Corporates will be criminally liable if a senior manager, acting within the actual or apparent scope of their authority, commits a listed offence. The concept of senior manager is rather broader than the directing mind and will, meaning an individual who plays a "significant role" in (a) the making of decisions about how the whole or substantial part of the corporate's activities are to be managed or organised, or (b) the actual managing or organising of the whole or substantial part of those activities.
Commentary
The Act's amendment of the identification doctrine is a significant development. Companies now face being held liable for the acts and omissions of a far broader cohort of personnel.
However, although the Government's Impact Assessment accompanying the Act indicates that the reform provides "certainty that senior managers are in scope to better capture large ownership structures" we anticipate that a potentially fertile ground for challenge will be whether the individual in question actually qualifies as a senior manager for these purposes.
For example, what amounts to a "significant role" in decision-making will need to be determined according to the facts of each case and may not be a straightforward analysis. Also, what amounts to a "substantial part" of a company's activities is also open to interpretation. In the event of a prosecution, we can expect the defence to press these points. Nevertheless, the Act does at least triangulate where the authorities and courts will need to focus their assessments.
The significance of the new formulation will ultimately be determined by how aggressively the authorities pursue cases. This is as much a question of political will and resourcing as it is evidence. In that context, the Impact Assessment (much like its counterpart for the failure to prevent fraud offence) indicates that as organisations can already be prosecuted under the identification doctrine under common law, the amended scope will not "attract any new risks." Consequently, "Following engagement with the CPS and SFO, Home Office expects the number of additional court cases to be low…"
It will be interesting to see how this plays out in practice.
Want to hear more from us? 
