The Economic Crime and Corporate Transparency Act 2023 (the ECCTA) received Royal Assent in October 2023. As part of significant reform to the UK's corporate criminal liability regime, among other reforms, the ECCTA introduced a new offence of failure to prevent fraud (the FTP Fraud Offence), which is expected to come into force by 2025, once relevant government guidance has been published.

This briefing focuses on who constitutes an "associated person" of an in-scope organisation under the FTP Fraud Offence. This is the latest in our series of briefings and podcasts on the ECCTA, the full series of which can be found here.

Overview of the FTP Fraud Offence

The key elements of the FTP Fraud Offence are:

  1. a 'person associated' with the 'relevant body' (ie. a 'large organisation') commits a relevant 'fraud offence' over which the UK has jurisdiction. See our recent briefing and podcast which cover jurisdiction and the concepts of 'relevant body' and relevant 'fraud offence' in more detail;
  2. the relevant 'fraud offence' is committed with the intention of benefitting (directly or indirectly) the relevant body or any person to whom, or to whose subsidiary, the associated person provides services on behalf of the relevant body; and
  3. the relevant body did not have in place reasonable fraud 'prevention procedures'. The Government is due to publish guidance about such procedures, prior to the offence coming into force, although the precise date for publication remains uncertain at this point in time.

If convicted of the FTP Fraud Offence, an organisation may be liable for an unlimited fine. For further detail on each of these elements, please see our recent briefing.

Definition of associated person

Associated persons are defined in sections 199(7) and 199(8) of the ECCTA as:

  • Employees, agents or subsidiaries of the relevant body;
  • Employees of a subsidiary of the relevant body; or
  • Those who otherwise perform services for or on behalf of the relevant body. Section 199(9) provides that whether or not a particular person provides services for, or on behalf of, a relevant body is to be determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship between that person and the relevant body.

In all scenarios, the associated person must commit the relevant fraud offence with the intention, whether direct or indirect, of benefitting the relevant body or any person to whom, or to whose subsidiary, the associated person provides services on behalf of the relevant body (for example, customers or clients).

Fraud offences committed by associated persons with no intention to benefit the relevant body (or the customer / the customer's subsidiary) will not attract liability for the relevant body. For example, where the fraud is committed for personal gain at the expense of the relevant body and/or the relevant body was, or was intended to be, a victim of the fraud.

Comparison with definitions in equivalent failure to prevent offences

While similar, the definition of 'associated persons' for the FTP Fraud Offence is broader than the equivalent definitions1 in the failure to prevent bribery offence in the Bribery Act 2010 ("UKBA") and the failure to prevent the criminal facilitation of tax evasion offence in the Criminal Finances Act 2017 ("CFA").

  • Under the UKBA, a subsidiary, agent or other person may be an associated person if, on examination of all the relevant circumstances, they provide services for or on behalf of the relevant body. Employees are presumed to be associated persons unless the 'contrary is shown'. This is narrower than the FTP Fraud Offence which automatically applies to employees, agents, subsidiaries, and employees of subsidiaries without regard to whether, on an assessment of all the relevant circumstances, the person performs services 'for or on behalf of the relevant body.'
  • Similar to the FTP Fraud Offence, employees and agents are automatically associated persons for the purpose of the CFA offence. Other persons providing services for or on behalf of the relevant body may also be associated persons following an assessment of the relevant circumstances. However, a relevant body will only be liable under the CFA offence if the associated person was 'acting in the capacity' of an associated person when undertaking the relevant conduct. There is no similar carve-out in the FTP Fraud Offence although, in practice, if a third-party service provider commits a fraud in connection with unrelated work for a different principal or customer, they are unlikely to be doing so with the intention of benefitting the relevant body.

Common categories of associated persons

Due to its broad construction, the definition of associated person in the FTP Fraud Offence is capable of capturing the conduct of a wide range of persons and activities (liability of a relevant body is, of course, subject to the other elements of the offence being satisfied and the availability of the reasonable fraud prevention procedures defence, which we discuss in more detail in our other briefings). Some common categories of persons that may fall within the scope of the FTP Fraud Offence include:

  • Employees: Employees are automatically classified as associated persons under the FTP Fraud Offence. Liability for the relevant body will therefore depend on whether the employee intended to benefit the relevant body (whether directly or indirectly) or a customer / customer's subsidiary, when committing the relevant fraud offence.

For example, an employee who inflates their business unit's revenue figures in an annual report to meet their own KPIs is likely to create liability for their employer. Even if the employee's primary intention was their own personal gain, they are likely to have had a secondary intention to benefit their employer by creating a more positive financial outlook. Conversely, an employee who commits expenses fraud will not engage the FTP Fraud Offence because the company is the intended victim of the employee's fraud.

  • Non-permanent employees: Alongside permanent employees, a relevant body is likely to be liable for conduct of non-permanent persons acting in a similar employment capacity (such as temporary employees and secondees) who perform services for or on behalf of the relevant body.
  • Agents: Agents are persons who have the power to create or alter legal rights, duties, or relationships on behalf of the relevant body and are automatically within the scope of the FTP Fraud Offence. Common examples include local agents in foreign jurisdictions, legal representatives, sales agents and marketing agents. Similar to employees, liability will depend on who the fraudster intended to benefit.

For example, a sales agent of a company who deliberately withholds information about a product from a prospective customer to secure a sale on behalf of the company may create liability for that company as, while it depends on the circumstances, it is likely that the agent intended the company to benefit through increased sales even if the agent's primary intention was their own financial gain through fees or commissions.

  • Third party service providers or contractors: External third parties engaged by the relevant body to provide specific services or perform specific tasks may be associated persons for the purpose of the FTP Fraud Offence. While each case depends on a careful assessment of whether the person provides services for or on behalf of the relevant body, the following are likely to fall within the scope of the offence (subject again to the other required elements being present):
    • Third party providers of ongoing outsourced services, such as payroll services, customer support and IT support;
    • Contractors engaged to perform specific tasks, projects, or services, such as consultants, accountants, and marketing agencies;
    • Third party distributors and intermediaries in supply chains; and
  • Suppliers: Suppliers could also fall within the scope of an associated person if they supply goods or services for or on behalf of the relevant body (such as supplying services directly to a customer on behalf of the relevant body). If, however, a supplier is simply supplying goods or services to the relevant body they are less likely to be in scope.

We explore these categories and additional examples in more depth in our recent podcast episode.

Subsidiaries and employees of subsidiaries are also automatically within the scope of the FTP Fraud Offence as associated persons. This has the potential to create widespread liability for companies for the acts of their subsidiaries. A critical question is therefore whether, where a subsidiary/employee of a subsidiary commits a fraud directly for their own benefit, this will be taken as an intention to benefit the parent/'relevant body'. This is a complex area and is one that we will be exploring in more detail in a separate upcoming briefing and instalment of our podcast.

Commentary

The broad scope of persons who may be associated with a relevant body for the purpose of the FTP Fraud Offence means companies face increased exposure if a fraud offence is committed. Although government guidance on "reasonable prevention procedures" is still forthcoming, some relevant bodies may be beginning to consider their existing fraud prevention procedures in anticipation of the FTP Fraud Offence coming into force. In relation to associated persons specifically, relevant bodies could consider taking steps to identify and consider the risk associated with different categories of associated persons. Although the tests are not precisely the same, the significant degree of overlap with the definitions of associated persons in the UKBA and CFA mean that companies are likely to have existing risk assessments looking at associated persons through these lenses, with due diligence and other controls tailored accordingly. This may therefore be a helpful starting point for thinking about categories of associated person risk for the purposes of the ECCTA. However, the categories of associated persons that present an elevated risk of committing fraud on a company's behalf will not necessarily be the same as those that present a higher risk of bribery (where the focus tends to be on public official interaction and winning business). Companies will therefore need to carefully consider where fraud risk is most likely to arise within their businesses.

Footnote

1. See section 8 of the UKBA and section 44(4) and (5) of the CFA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.