Significant expansions to corporate criminal liability: the new offence of failure to prevent fraud and extended identification principle
The Economic Crime and Corporate Transparency Act 2023 ("ECCTA") introduces a landmark new corporate offence of failure to prevent fraud (the "FTP fraud offence"). The new offence allows prosecutors to hold an organisation criminally liable, on a strict liability basis, for fraud committed by an employee or agent of that organisation. To establish a defence, an organisation will need to show that it had in place reasonable procedures designed to prevent persons associated with the organisation from committing fraud offences.
Context to the new offence
The "fraud pandemic"
Estimates of the impact of fraud on the UK economy range from £100 billion to £200 billion per annum. According to the Government's second Economic Crime Plan (2023 – 2026) fraud accounted for an estimated 41% of all crime experienced by adults in England and Wales in the year ending September 2022. The NCA assesses it is a realistic possibility that over £100 billion pounds is laundered every year through the UK or through UK corporate structures using high end money laundering methods.
Corporate responsibility; corporate liability
The Government has, for more than a decade, increasingly looked to companies to play a part in combatting economic crime. The Bribery Act 2010 introduced strict corporate liability for failure to prevent bribery, followed by the Criminal Finances Act 2017 ("CFA 2017") which introduced a similar, strict liability offence of failure to prevent the facilitation of tax evasion. The legislation creating these offences also created defences for organisations that can demonstrate the existence (at the time of the offence) of "adequate" (in the Bribery Act) or "reasonable" (in the CFA 2017) prevention procedures.
Beyond the introduction of corporate strict liability offences, the Government has, in a similar time frame, empowered prosecutors to enter into Deferred Prosecution Agreements ("DPAs") with companies (a move that has seen more corporate accountability in the UK for criminality in the last decade that at any time previously), extended the "regulated sector" for anti-money laundering purposes, and introduced the Economic Crime Levy, requiring larger, regulated businesses to contribute financially to the fight against economic crime.
Law reform: the new offence
In November 2020, the Government asked the Law Commission to examine the law on corporate criminal liability and publish a paper providing an assessment of different options for reform. The Options Paper emerged in June 2022, and included a proposal for a new corporate offence of FTP fraud. A little over a year later, such an offence was tabled as an amendment to the ECCTA, which, after considerable debate and amendment, and disagreement on scope between the House of Commons and House of Lords, received Royal Assent on 26 October 2023.
The new offence of failure to prevent fraud
The offence
The Government Fact Sheet on the new offence characterises its operation and intended effects as follows:
"The government is creating a new failure to prevent fraud offence to hold organisations to account if they profit from fraud committed by their employees. This will improve fraud prevention and protect victims."
Looking more closely: section 199 of ECCTA provides that a "relevant body" which is a "large organisation" shall commit an offence where an "associate" of the relevant body commits a fraud offence, intending to benefit (whether directly or indirectly) the relevant body or its clients or customers.
An organisation will not be guilty of the offence if it was itself the victim (or intended victim) of the fraud offence.
Organisations in scope
The offence can be committed by a body corporate or a partnership, wherever incorporated or formed.
At present, the offence can only be committed by large organisations, defined to mean an organisation that meets two of the three following threshold conditions (adopted from s465 Companies Act 2006):
- More than 250 employees;
- More than £36 million turnover; and
- Assets of more than £18 million.
Mechanisms for calculating each of the criteria are contained in the ECCTA (section 201).
If resources are held across a parent company and its subsidiaries and such resources cumulatively satisfy the size thresholds, that group of companies will be in the scope of the FTP fraud offence. Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent fraud, or to the parent company, if a fraud was committed by a subsidiary employee, for the benefit of the parent company, and the parent company did not take reasonable steps to prevent it.
Overseas organisations and extraterritorial effect
The existing failure to prevent bribery offence (s.7 Bribery Act) can only be committed by UK organisations and by overseas organisations "carrying on business or part of a business" in the UK. No such limitation appears in ECCTA in relation to the new FTP fraud offence. It follows that overseas organisations may be liable under the FTP offence. The Government has stated that, "If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas."
"Fraud offence"
Organisations can be held liable when an associate commits a "fraud offence".
"Fraud offence" is defined with reference to a list of offences, contained at Schedule 13 to the ECCTA, a list which Government describes as, "the fraud and false accounting offences most likely to be relevant to corporations". These are:
- fraud by false representation (section 2 Fraud Act 2006)
- fraud by failing to disclose information (section 3 Fraud Act 2006)
- fraud by abuse of position (section 4 Fraud Act 2006)
- ·obtaining services dishonestly (section 11 Fraud Act 2006)
- participation in a fraudulent business (section 9, Fraud Act 2006)
- false statements by company directors (Section 19, Theft Act 1968)
- false accounting (section 17 Theft Act 1968)
- fraudulent trading (section 993 Companies Act 2006)
- cheating the public revenue (common law)
Money laundering is a notable omission from the list. The rationale for its exclusion was that businesses are already required to have procedures in place to prevent money laundering, and are supervised by the AML Supervisors (e.g. the FCA and HMRC).
The inclusion of the common law offence of cheating the public revenue and the statutory offence of false accounting are noteworthy for tax and accounting professionals.
Defence of reasonable prevention procedures
The ECCTA sets out a compliance defence to the FTP fraud offence: the organisation will not be guilty of failing to prevent fraud if it can prove that, at the time of the offence, it had in place "prevention procedures" designed to prevent an associate from committing the offence, or that it was reasonable in all the circumstances to not expect the organisation to have such procedures. The defence has been likened to the "adequate procedures" defence in relation to the failure to prevent bribery offence.
What to do now?
The new FTP fraud offence will only enter into force once government guidance has been published on the "prevention procedures" defence. The Guidance is expected later in 2024 or in early 2025.
Ahead of the publication of the Guidance there are several important steps that organisations can take to prepare:
- The definition of "relevant body" and "large organisation" are unlikely to change before the publication of the Guidance. Organisations can therefore assess whether they (and/or the wider group) are in scope for the new offence.
- An assessment of the fraud risks which the organisation faces should be conducted. The list of "fraud offences" (set out above) can be used a prompt for considering particular exposures. This exercise should be documented in a specific fraud risk assessment.
- The definition of "associates" (employees, agents, associates) can similarly be used to identify where and how offences of fraud could conceivably be committed, for the benefit of the organisation, parent company and/or clients / customers.
- As part of the same exercise, consideration can be given to how the organisation / group exercises control and oversight of its "associates". For example: how does the organisation ensure that sub-contractors do not engage in fraud?
- Organisations should begin to review their current policies and procedures, financial and accounting controls, and whistle-blowing arrangements, and consider whether they are adequate and have kept up to date with the evolution of the business and legal environment.
- Fraud prevention procedures will inevitably include reconsideration of contractual terms and anti-fraud terms. Consideration of the same can begin now.
- If the business has experienced instances of fraud such can be the basis for "lessons learned" exercises.
- The Ministry of Justice Guidance on the Bribery Act 2010 places emphasis on "top level commitment". Guidance on the new FTP fraud offence is likely to do the same. Boards and other management bodies should be briefed on the new offence and begin to be able to evidence commitment to upgrading and establishing fraud prevention procedures.
Companies not currently in scope
The Government Fact Sheet notes that, "The impact of the offence will be kept under review and the threshold at which companies are excluded can be amended in future through secondary legislation if necessary." In light of the position of the House of Lords during the passage of the Bill (that became ECCTA), that the offence should apply to all organisations, there is a realistic possibility that the offence will be broadened in the future. Organisations below the threshold should also therefore consider fraud prevention policies and procedures, in anticipation of the extension of the FTP fraud offence.
New "senior manager test" for establishing corporate criminal liability
Separately, the ECCTA has also amended the legal test to establish corporate criminal liability. The relevant provisions came into force on 26 December 2023.
Prior to the revisions contained in the ECCTA, a corporate entity could only be held criminally liable for an offence if the offence could be attributed to a natural person who could be shown to represent the "directing mind and will" of the company at the time the offence was committed. The common law test (the "identification principle") was established in 1971 in the case of Tesco Supermarkets v Nattrass and has long been criticised by authorities, such as the SFO, as representing an outdated and difficult threshold to attain.
Section 196 of ECCTA provides that:
"If a senior manager of a body corporate or partnership ("the organisation") acting within the actual or apparent scope of their authority commits a relevant offence after this section comes into force, the organisation is also guilty of the offence."
The relevant offences listed in the ECCTA (at Schedule 12) cover a broad scope of economic crime offences, including bribery, money laundering and, relevant for financial services firms, certain offences under the Financial Services and Markets Act 2000. The Government has also proposed that the current list be extended to cover all criminal offences, via the introduction of the new Criminal Justice Bill 2023/24 (clause 14).
"Senior manager" is broadly defined:
"senior manager", in relation to a body corporate or partnership, means an individual who plays a significant role in—
(a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised, or
(b) the actual managing or organising of the whole or a substantial part of those activities.
The offence is explicitly applied by s.196(4) to overseas companies. Unlike the FTP fraud offence, companies of all sizes are in scope, and there is no need for an intention to benefit the organisation to be shown to establish liability.
Implications
The amendment is intended to and will make it very significantly easier for criminal liability to be attributed to an organisation, in respect of economic crimes committed by senior managers. Prosecutors will now be spared the significant burden created by the common law "identification principle".
The new provisions therefore place greater responsibility on corporates to exercise oversight and control over the conduct and actions of their senior managers. Put simply, if the senior manager is guilty, the business may also be guilty.
In the course of a review of fraud risks and prevention procedures organisations should be mindful of the "senior manager" test for corporate criminal liability and ensure those meeting the definition of "senior manager" are aware that their actions may be capable of fixing the company with criminal liability.