After a laborious passage through the United Kingdom Parliament, the Economic Crime and Corporate Transparency Act (the Act) received Royal Assent on 26 October 2023. The Director of the UK Serious Fraud Office (SFO) hailed the new Act as "the most significant boost to the SFO's ability to investigate and prosecute serious economic crime in over 10 years". This alert focuses on two key reforms to the investigation and prosecution of corporate crime in the UK contained in the Act, namely, the introduction of a strict liability 'failure to prevent fraud' offence and the overhaul of the means by which liability for economic criminal conduct is attributed to corporate entities. Taken together, the reforms represent a huge shift in the UK corporate crime landscape and significantly increase the likelihood of companies being successfully prosecuted in the UK.

New failure to prevent fraud offence

Failure to prevent model

The new failure to prevent fraud offence is intended to broadly mirror the structure of the UK's existing strict liability 'failure to prevent' corporate offences, namely failure to prevent bribery (under section 7 of the Bribery Act 2010) and failure to prevent the facilitation of tax evasion (under part 3 of the Criminal Finances Act 2017).

Overview of the new offence

A relevant corporate entity (company or partnership) will be guilty of the new failure to prevent fraud offence if a person associated with it (an employee, agent, subsidiary or other person performing services on its behalf) commits a specified fraud offence intending to benefit the entity or anyone else to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the entity. Liability can also attach to the parent entity in a corporate group if the fraud was committed by an employee of a subsidiary for the benefit of the parent.

The specified fraud offences include the common law offence of cheating the public revenue and statutory fraud offences under the Fraud Act 2006 (fraud by false representation, failing to disclose, abuse of position and obtaining services dishonestly), the Theft Act 1968 (false accounting and false statements) and the Companies Act 2006 (fraudulent trading).

The offence can only be committed by a corporate entity and not by an individual. It is a strict liability offence, meaning that there is no requirement for the management or board of directors of the corporate to have knowledge or awareness of the underlying fraud. Corporate entities found guilty of the offence are liable to an unlimited fine.

Importantly, the offence can only be committed by 'large organisations', defined by the Act as an organisation satisfying two or more of the following criteria:

  • Turnover of more than £36 million
  • Balance sheet total of more than £18 million
  • More than 250 employees

No offence can be committed where the corporate entity was, or was intended to be, a victim of the underlying fraud. The Act also provides a statutory defence for the corporate entity where it had in place fraud prevention procedures that were 'reasonable in all the circumstances' or where it was not reasonable in all the circumstances to expect the entity to have any fraud prevention procedures in place. The Government has committed to publishing guidance containing further detail on what constitutes reasonable procedures before the new offence comes into force.

Jurisdictional issues

The Act itself is silent on the potential extra-territorial jurisdictional reach of the new offence. However, the UK Government's policy document accompanying the draft (as it was then) legislation is clear that the intended jurisdictional scope is broad: "If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas." A large US-based company, for example, whose employee commits fraud in the UK, or targets UK victims, for the company's benefit would, in the absence of being able to establish that it had reasonable fraud prevention procedures in place, potentially be liable under the new offence.

Corporate conduct at risk

The breadth of the specified fraud offences means that strict criminal liability could technically attach to a wide range of corporate conduct. Amongst other areas, this might include the following:

  • Financial and regulatory reporting (asset valuations, related-party disclosures, revenue recognition practices and liability statements)
  • Non-financial reporting (ESG disclosures and modern slavery statements)
  • Asset management (processes and controls around procurement, cash/inventory)
  • Tax (corporate tax, transfer pricing and goods classification)
  • M&A activity (representations to investors, buyers and sellers)
  • Lending activity (representations to lenders)
  • Typical bribery and corruption issues (third-party/intermediary and government dealings, gifts and corporate hospitality, etc.)
In addition to finding themselves at increased risk of investigation and prosecution by UK law enforcement agencies such as the SFO, one potential consequence of the new offence may also be to increase the risk of private prosecutions being brought against companies by victims of fraud or activist investors for their failure to prevent fraud.

What should companies be doing now?

The new offence is not yet in force. The Government must first consult with the private sector before publishing guidance as to the scope and interpretation of the new offence, particularly as to what reasonable fraud prevention procedures look like. Whilst there is no need to overreact, companies can and should be taking steps in anticipation of the new offence being effective. Many large companies will already have in place adequate and effective procedures, controls and monitoring systems designed to detect and prevent fraud, particularly those subject to sector-specific regulatory obligations such as financial services firms. Now is an opportune time to commence a phased review of those existing anti-fraud procedures and controls. Incorporating the core tenets of the new offence into scheduled risk assessments to help identify and address any gaps is likely to be a proportionate response at this stage, both for those companies with long-established anti-fraud procedures as well as for those other companies who may be starting from scratch, keeping in mind the importance of maintaining a clear and documented record of the steps taken.

Overhaul of attribution of corporate criminal liability

The Act also amends the existing 'identification doctrine'—the main way in which criminal liability has been attributed to corporate entities in England and Wales—to allow for the actions of 'senior managers', acting within the actual or apparent scope of their authority, to fix the entity with liability with respect to a comprehensive list of economic crimes, including fraud, bribery, money laundering, sanctions, cheating the public revenue and conspiracy to defraud offences.

Identification doctrine

The main way that the criminal law of England and Wales previously attributed liability to corporations for offences requiring proof of fault was the identification doctrine, under which a corporate body would only be liable for criminal conduct by one or more natural persons representing its 'directing mind and will'. The Act goes significantly further.

Providing a senior manager is acting within the actual or apparent scope of their authority and commits a relevant offence, the corporation will also be guilty of the offence. The definition of 'senior manager' is borrowed from the Corporate Manslaughter and Corporate Homicide Act 2007 to mean an individual who plays a significant role in:

(a) the making of decisions about how the whole or a substantial part of the activities of the corporation are to be managed or organised, or

(b) the actual managing or organising of the whole or a substantial part of those activities.

Senior managers therefore comprise not only those who decide on broad strategy but also those who make operational decisions covering the whole of the corporation or a substantial part of it. This may not capture someone whose role was limited to management of a discrete unit that does not represent a substantial part of the company's affairs, but probably would include someone whose responsibilities involve making decisions relating to corporate strategy and policy in a particular area—such as operations, legal or finance.

Whilst undoubtedly a broader formulation, the reforms will inevitably lead to difficult arguments during an investigation or in court as to who should properly be regarded as a senior manager. One complex factual analysis under the old identification doctrine is effectively substituted for another under the Act. A key question will become whether the evidence supports the proposition that an individual played a 'significant role' in relation to the management of the whole or 'a substantial part' of the business. All of this creates unfortunate uncertainty for companies.

How will this relate to the new failure to prevent fraud offence?

The strict liability failure to prevent offence will offer a means of addressing conduct that cannot be attributed to the corporation even under the revised basis of attribution and, perhaps more importantly, will impose a duty on companies to take positive steps to prevent the commission of offences by their agents and employees.

Conclusion

The new failure to prevent fraud offence is not yet in force, pending the publication of the Government's guidance, and as neither the new offence nor the new means of attributing corporate criminal liability for economic crimes have retroactive effect, there will be an inevitable time lag before we see an uptick in the investigation and prosecution of corporate misconduct pursuant to it. This would be consistent with the significant lag between the coming into force of the Bribery Act 2010 and the first significant corporate investigations and resolutions pursuant to that legislation.

This should not, however, minimise the significance of the two reforms, which undoubtedly increase the likelihood of companies being successfully prosecuted in the UK for economic wrongdoing. The corporate criminal landscape in the UK has fundamentally shifted, and companies domiciled here and abroad need to reflect on and react to the new higher-risk environment in which they find themselves.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.