The UK government introduced a major overhaul of its framework for addressing financial crime — and brought into force numerous significant changes1 — when the Economic Crime and Corporate Transparency Act 2023 (the Act) became law in the UK on 26 October 2023.
A key innovation introduced by the Act is the new failure-to-prevent-fraud offence that will make it easier for companies to be criminally prosecuted. Previously, a company could only be prosecuted for a fraud offence where the “directing mind and will” or “senior manager” of the company had some involvement in the offence. The new offence is specific to corporations and subjects them to strict liability, and will potentially make it easier for victims of fraud to pursue a private prosecution of a company.
The new offence’s coming into force will therefore be a landmark in the development of the corporate criminal liability landscape in the UK, and the offence’s broad extraterritorial reach means overseas companies will need to consider their risk exposure and mitigate it accordingly. Notably, the new offence will take effect against a backdrop of unprecedented levels of fraud in the UK.2
The New Strict-Liability Offence
This new strict-liability criminal offence is modelled on the “failure to prevent” offences previously introduced in the UK, such as failure to prevent bribery and the criminal facilitation of tax evasion.
Under the new failure-to-prevent-fraud offence, a company can be held liable if it fails to prevent an “associated person” from committing a set of specified fraud offences. This includes, for example, offences under the Fraud Act 2006 (e.g., fraud by false representation, fraud by failing to disclose information, fraud by abuse of position), the Theft Act 1968 (e.g., false accounting), fraudulent trading and cheating the public revenue.
The new offence also includes “aiding, abetting, counselling or procuring the commission of a listed offence.” This extends a company’s potential scope of liability even further.
The types of conduct that could be covered are therefore broad. For example, the offence could be committed in the context of:
- Representations and warranties in transaction documents and associated disclosures.
- Disclosures to the market, such as in prospectuses and annual reports.
- Statements by directors to shareholders during investor calls.
- Insurance claims made by a company.
- The preparation of accounts and other financial statements (“cooking the books”).
- Reports and applications to regulators.
- Advertising and sales activities.
- Third parties misrepresenting the quality of goods or services to increase sales.
The list of offences can be updated through secondary legislation in the future, although any new offences added would be limited to economic crime.
Who Is Covered?
The new offence will apply only to “large” organisations, and exempts small and medium-sized companies. A company will be deemed a “large organisation” under the Act if the company satisfies two or more of the following conditions in the financial year preceding the year in which the alleged fraud is said to have occurred: the company has (i) more than 250 employees; (ii) turnover of more than £36 million; and/or (iii) a balance sheet total of more than £18 million.
A parent company of a group is a “large organisation” if the group headed by it meets at least two of the following criteria: (i) an aggregate turnover of more than £36 million (or £43.2 million gross); (ii) an aggregate balance sheet total of more than £18 million net (or £21.6 million gross); and/or (iii) more than 250 employees in aggregate.
Nevertheless, small to medium-sized businesses will need to consider implementing robust anti-fraud procedures. Many such organisations may act for, or on behalf of, a large organisation that is within the scope of the Act, and could therefore be an “associated person.” Larger organisations will likely want to confirm that such companies have in place appropriate fraud prevention policies and procedures as part of their onboarding process.
Who Is an ‘Associated Person’?
The term “associated person” includes employees, agents, subsidiaries and any person who otherwise performs services for or on behalf of the company, as well as employees of subsidiaries of a company. This broadly follows the format of how an associated person is defined under UK anticorruption legislation. Parent companies can therefore be held liable for fraud committed by an employee of a subsidiary if the employee holds the requisite intent. The associated person must intend to directly or indirectly benefit the company or a person to whom services are provided on behalf of the company.
What Is the Extraterritorial Reach of the New Offence?
The new offence will have broad reach outside of the UK due to the extraterritorial effect of the underlying offences. The Criminal Justice Act 1993 extended the UK’s jurisdiction for fraud and other economic crimes to where a “relevant event” occurred in the UK, including, for example, causing a gain or a loss to another party in the UK. Companies located or incorporated outside of the UK could be prosecuted under the Act where part of the offence takes place in the UK, where the offence causes harm in the UK or where the “associated person” acting on behalf of the company is in the UK.
The UK government’s explanatory note related to the Act reiterates the government’s intention to make broad use of the new powers under the Act. The note states that “if an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”3 Note that while the comparable offence under the UK Bribery Act (i.e., Section 7 (failure to prevent bribery)) requires the overseas organisation that is being prosecuted to carry on business, or part of a business, in the UK, there is no such requirement under the Act. This may signal that the UK government intends to take a broader extraterritorial approach under the failure-to-prevent-fraud offence than we have previously seen under existing anticorruption legislation — perhaps due to the often cross-border nature of fraudulent activity and the potential for harm to be caused to victims in a number of jurisdictions.
Considering this risk, companies outside of the UK but with UK touch points (e.g., subsidiaries, employees, agents, service providers, investors, shareholders, customers within the UK) may still need to ensure appropriate fraud prevention procedures are in place.
What Defences Are Available and What Are the Potential Consequences?
Two defences are available, namely where:
- The company was itself the victim or the intended victim of the fraud. This carve-out does not apply where the person commits the fraud intending to benefit the company, only where the intention was to benefit a person to whom services were being provided, for example, a client or customer.
- The company can demonstrate that it had reasonable fraud prevention procedures in place, or that not having such procedures was reasonable.
The Act does not define what reasonable fraud prevention procedures would entail; however, when the UK government publishes its guidance on this topic, we expect a principles-based approach, mirroring the failure-to-prevent-bribery and facilitation-of-criminal-tax-evasion offences.4
We do not anticipate that many companies will be able to rely on it being reasonable not to have fraud prevention procedures in place. Companies within the scope of the offence will need to prepare and implement appropriate fraud prevention procedures to ensure that the defence can be raised if necessary.
If held liable, a company can receive an unlimited fine, although deferred prosecution agreements will be available where the conduct and circumstances fit the criteria set out by the Serious Fraud Office.5
Next Steps
We expect that the government will publish its guidance on what constitutes “reasonable fraud prevention procedures” before the end of 2024. The new offence will likely come into force six to nine months later. Companies will therefore have some time to ensure that they have implemented reasonable fraud prevention procedures, or reviewed existing procedures to ensure that they are sufficiently compliant with government guidance.
Nevertheless, companies can take steps now to ensure (i) their risk assessments adequately address fraud-related risks that are within scope of the offence and (ii) their policies and procedures are appropriately designed to mitigate such risks.
_____________________
1 We covered these changes in our 26 February 2024 alert “Economic Crime and Corporate Transparency Act 2023 – Key Developments.”
2 The previous UK government administration estimated that fraud accounted for over 40% of crime, but received less than 1% of policing resources (see Fraud Strategy: Stopping Scams and Protecting the Public, June 2023). UK Finance’s 2024 Annual Fraud Report estimated that criminals “stole £1.17 billion through … [financial] fraud in 2023.” The UK Serious Fraud Office (SFO) Strategy for 2024–2029 acknowledges that fraud is now the “UK’s most prevalent crime” and has signalled that the SFO intends to “strengthen” its operations through enforcement activity under the new failure-to-prevent-fraud offence. We therefore anticipate that, once the offence comes into force, SFO investigations and subsequent prosecutions related to fraud will increase.
3 Economic Crime and Corporate Transparency Act: Failure To Prevent Fraud Offence, March 2024
4 Provided that the government guidance mirrors the approach taken to the failure-to-prevent-bribery and facilitation-of-tax offences, the six principles would be: (i) proportionate procedures, (ii) top-level commitment, (iii) risk assessment, (iv) due diligence, (v) communication (including training) and (vi) monitoring and review.
5 We previously covered the SFO’s DPA criteria in our 6 February 2023 alert “France Further Aligns Corporate Guidance with US and UK Approaches to Sentencing and Leniency.”
[View source.]
