The expansion of corporate criminal liability and the failure to prevent fraud offence

The UK has taken a significant step forward in reinforcing its ability to counter financial crime with the enactment of the Economic Crime and Corporate Transparency Act 2023 (the “ECCTA”).  The ECCTA introduces a range of measures to strengthen the UK’s ability to tackle fraud and other economic crimes, the most important of which are:

1. The expansion of the scope of the identification principle, under which the criminal misconduct of individuals can be attributed to a company; and
2. The introduction of the new failure to prevent fraud offence.

We explain both in more detail below, before addressing the implications for companies and what steps they should take now.

The traditional approach to corporate criminal liability has been governed by the identification principle.  Under this approach the common law fixed corporations with criminal liability only where the relevant acts were performed by a natural person who could be said to represent the directing mind and will of an organisation.  In practice this limited corporate criminal liability to the acts of a very narrow range of the most senior executives and the identification principle attracted sustained criticism for this reason.

Section 196 of the ECCTA significantly expands the identification principle to include senior managers “acting within the actual or apparent scope of their authority”.  A senior manager is defined as an individual who plays a significant role in either (i) managing a corporate entity’s activities or (ii) making decisions about how such activities are managed.  It will remain for the courts to determine the limits of this definition.

As matters stand, the new senior managers test is limited to the list of economic crimes recorded in schedule 12 of the ECCTA, which covers a broad scope of economic crime offences such as bribery, money laundering, and certain offences under the Financial Services and Markets Act 2000.

The ECCTA has therefore significantly widened the pool of senior executives whose actions can fix a corporation with criminal liability.

Practically, however, given the matrix reporting structures of most large multinational organisations.  It will still be necessary for example to identify an individual with the requisite mens rea for the offence.  It remains to be seen whether this amendment will substantially alter the challenges previously experienced under the identification principle.

The introduction of the offence of failure to prevent fraud marks a significant shift in the UK’s approach to corporate accountability for criminal misconduct.  Section 199 of the ECCTA is designed to hold businesses accountable for fraudulent activities carried out by individuals associated with them, such as employees, agents or subsidiaries.

The new offence makes organisations liable if they fail to prevent certain specified fraud offences[1] where (i) an employee or agent commits the fraud; and (ii) the fraud is directly or indirectly intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.  We briefly expand on the elements of the offence below.

[1] Fraud by false representation (section 2, Fraud Act 2006); fraud by failure to disclose information (section 3 Fraud Act 2006); fraud by abuse of position (section 4, Fraud Act 2006); obtaining services dishonestly (section 11, Fraud Act 2006); participation in a fraudulent business (section 9, Fraud Act 2006); false statements by company directors (section 19, Theft Act 1968); false accounting (section 17, Theft Act 1968); fraudulent trading (section 993, Companies Act 2006); cheating the public revenue (common law).

The offence is limited to “large organisations” only.  To qualify as “large”, an organisation must satisfy at least two of the following conditions in the financial year preceding the year of the offence: (i) turnover of more than £36 million; (ii) more than 250 employees; or (iii) more than £18 million in total assets.

The offence does not create liability for individuals but can result in unlimited fines for qualifying organisations.  Practically, smaller organisations will also likely be required to ensure effective anti-fraud procedures are in place, as other operators in their supply chain may regard them as an associated persons for the purposes of the offence.

The term “persons associated with a business” is defined broadly to include employees, agents and other individuals performing services for or on behalf of business (e.g. suppliers, advisors, contractors, etc).

Organisations will be criminally liable when the fraud offence is committed for the organisation’s benefit (directly or indirectly) or for the benefit of any person to whom the associated persons provides services on behalf of the organisation, e.g. a customer.  Determining who was intended to benefit from the fraud offence will therefore be key to establishing criminal liability.

The failure to prevent fraud offences apply to all companies regardless of their place of incorporation if they carry on a business or part of a business in the UK.  Similarly, if an employee commits fraud under UK law, their employer could be prosecuted even if it’s based overseas.

Organisations will be criminally liable when the fraud offence is committed for the organisation’s benefit (directly or indirectly) or for the benefit of any person to whom the associated persons provide services on behalf of the organisation, e.g. a customer.  Determining who was intended to benefit from the fraud offence will therefore be key to establishing criminal liability.

Organisations may also be able to escape prosecution if, at the time the fraud offence was committed, they had reasonable preventative procedures in place. Guidance on what will be considered ‘reasonable preventative procedures’ is yet to be published. There may be instances where it could be considered reasonable to have no procedures in place at all, however this is likely to be confined to those organisations where the risk of fraud is extremely low.

The reforms outlined above will make it easier to prosecute businesses for criminal misconduct.  Firms should expect to see an increase in investigations initiated by the SFO and potentially a heightened risk of private prosecutions.  The trend towards utilising deferred prosecution agreements or DPAs will continue and grow.  Internal compliance procedures, culture, and whistleblowing programmes will be closely scrutinised.

Organisations should take steps now to prepare by reviewing and if necessary enhancing their existing control frameworks, policies, procedures and training programmes.  The new failure to prevent fraud offence reflects the approach first seen in the UK Bribery Act 2010 in relation to bribery and corruption, and mirrored by the Criminal Finances Act 2017 in respect of tax evasion.  Firms should consider building on existing processes they have in place in relation to that legislation.

As the ECCTA captures a broad range of potential fraud offences with varying and nuanced elements, care should be taken to ensure that current compliances procedures and training programmes adequately reflect the offences and the firm’s processes.

The reforms are intended to reduce fraud and clarify aspects of corporate criminal liability which have long been criticised as failing to reflect modern corporate structures.  Whether the reforms are sufficient to achieve their aims remains to be seen.