What is the new legislation?

Following months of debate – not least a recent intense round between the Lords and the Commons – the Economic Crime and Corporate Transparency Act (quickly dubbed ‘ECCTA’) has now been passed and received Royal Assent at the end of October.

The act is in effect a broad church in terms of its scope and covers a comprehensive list of subjects. The stated aim is to deliver a number of reforms and additional powers – to Companies House – to tackle economic crime and improve transparency over corporate entities.

Some of its most anticipated measures are the result of a long overdue attempt to reform the law related to corporate fraud. Police-recorded fraud in the year ended September 2022 increased by 22% compared with the previous year and is now the most frequently reported crime in the UK, representing more than 40% of offences reported to police. With ECCTA, parliament has opted for a new ‘failure to prevent fraud’ offence (albeit of limited scope), following a similar approach to previous legislation in the corporate crime space (failure to prevent bribery and failure to prevent the facilitation of tax evasion).

The intention is twofold: to hold a large organisation accountable should it profit from the fraudulent actions of someone acting on its behalf, and to reduce fraud-related crime by driving culture change. Forcing large organisations to improve internal fraud prevention procedures by taking responsibility for the actions of persons associated with the organisation.

The act introduces a new approach to corporate criminal liability – something which has been long advocated (and no doubt welcomed) by prosecutors – with some reforms to the current ‘identification doctrine’ requirement.

How will the ‘failure to prevent’ offence operate?

A ‘relevant body which is a large organisation’ will be guilty of fraud if:

• a person associated with the body commits a ‘specified fraud offence’ (a list of the ‘specified fraud offences’ is found in Schedule 13 to the Act); and
• the fraud is intended to benefit the organisation or any person who receives services from the organisation.

The organisation will not be guilty of an offence if it is the victim of the fraud or where the fraud committed by the associated person benefits themselves, not the organisation. An associated person is defined as an employee, agent, subsidiary, and any other person that performs services on behalf of the organisation.

Failure to prevent fraud is a strict liability offence – ie the prosecution does not need to prove that the organisation was aware of the offence; it is sufficient if the associated person commits the specified offence for the benefit of the organisation. The organisation’s only defence is to prove that at the time of the alleged offence it had reasonable prevention procedures in place, or that it was not reasonable for it to have such procedures in place. Guidance of what constitutes ‘reasonable procedures’ will be issued by the government and is expected to be published in early 2024.

The act has settled one of the more contentious differences between the Lords and the Commons in respect of the failure to prevent fraud offence. It only applies to a ‘large organisation,’ which is defined as meeting at least two of the following criteria in the financial year preceding the offence:

• more than 250 employees;
• more than £36 million turnover; and/or
• more than £18 million in total assets.

Any organisation meeting the threshold criteria falls within the ambit of the act – commercial organisations (whether incorporated or not), NGOs, charities, or public bodies. Like the failure to prevent bribery and failure to prevent tax evasion offence, the offence also has significant extra-territorial application. In effect, this means:

• the criminal conduct occurs abroad but would constitute fraud in the UK, or targets someone in the UK, the organisation may still be held liable; and
• if the criminal conduct occurs in the UK, but the organisation is based offshore, the organisation may also be held liable.

If convicted of the failure to prevent offence, the organisation could receive an unlimited fine.

Which types of fraud offences are in scope?

The specified fraud offences in scope are those most likely to be relevant to corporations and are listed in Schedule 13 of the act. The types of fraud scenarios captured will include incidents where employees:

• take part in dishonest sales practices where individuals are convinced to invest money into investment schemes based on deliberately misleading information;
• hide essential information from consumers or investors, for example where financial statements are intentionally misrepresented to make an organisation’s financial performance appear better than it is, such as inflating revenues, understating expenses, or overstating assets;
• deceive and make misleading statements to consumers concerning the positive environmental impact of an organisation’s product; and
• take part in dishonest practices in financial markets, such as insider trading, market manipulation and pump-and-dump schemes (artificially inflating the price of a security by making false or misleading statements then selling shares at the inflated price causing the price to crash).

What could be considered ‘reasonable’?

The act stipulates that a large organisation will not be guilty of the offence if it can prove that at the time of the offence it had reasonable procedures in place to prevent fraud or did not reasonably need such procedures. This is a continuation of the current ‘failure to prevent’ principles in UK criminal law, which makes it imperative for an organisation to demonstrate that it had ‘reasonable’ (in the case of failure to prevent tax evasion) or ‘adequate’ (in the case of failure to prevent bribery) procedures in place to prevent the offence.

Under the new failure to prevent fraud offence in the act, the organisation will be criminally liable if it cannot prove that it had procedures in place to prevent fraud that may reasonably be expected of it, given all the circumstances. As noted above, the act also provides for a defence of circumstances where the risk of fraud is so low that it would be considered reasonable not to have fraud prevention procedures in place. When relying on this position, however, the organisation would be prudent to consider a documented risk-based approach necessary to justify its decision-making process.

We are currently awaiting the guidance as to what might constitute ‘reasonable procedures’ from government, but when considering the failure to prevent legislation already in place, it is common sense which areas large organisations should focus:

• formal fraud risk assessments should periodically take place to identify and measure areas within the organisation susceptible to fraud. Some areas may require further proactive testing and training to ensure that there are effective, proportionate risk-based procedures in place. The fraud risk assessment should feed into the annual fraud strategy which defines the areas of focus for that year;
• a regularly reviewed anti-fraud policy should be in place which outlines the organisation’s approach to fraud, responsibilities, and tone from the top. The policy should be widely publicised, internally, and externally, and supported by a response plan that should be implemented when incidents occur, as well as an annual strategy for combatting fraud;
• ensure that there are confidential and clearly defined reporting routes, supported by a sound whistleblowing policy and process, with a feedback mechanism where appropriate. The organisation should respond quickly to suspected fraud by initiating an investigation, preserving evidence, and involving a counter-fraud specialist or law enforcement. Prompt action can help prevent further losses and minimise the impact of fraud; and
• provide periodic and effective anti-fraud training for all employees as well as bespoke training for key risk areas such as finance, procurement, and HR/recruitment. Training and other communications should include a statement from senior managers explaining their stance on fraud and demonstrating the ‘tone from the top.’

The anti-fraud programme in place should be reviewed regularly and evaluated for effectiveness and updated when necessary.

Will the act make it easier to prosecute corporates?

The Act has now extended the ambit of the so-called ‘identification doctrine’. This common law doctrine has made it tough to successfully prosecute corporates for economic crime, requiring proof of a ‘directing mind and will’ of the corporate for a conviction. It has long been a bugbear of prosecutors, who argue that this approach does not consider the sometimes-sophisticated nature of decision-making in modern commercial organisations. The courts have given the requirement a narrow interpretation – it meant prosecutors needed to prove directors (or someone delegated by the board) ‘directed proceedings,’ which has made it challenging to hold large and complex organisations accountable for corporate crime.

The act now provides that an organisation will be held criminally liable if a senior manager commits a ‘relevant offence’ or part of an act constituting such an offence. The relevant offences are a list of economic crimes contained in Schedule 12 of the act, and it includes aiding, abetting, procuring, attempting, or conspiring to commit a relevant offence. A senior manager is defined as an individual who plays a significant decision-making role in the whole or, crucially, part of the activities of the organisation.

When will the act commence?

Most provisions in the act came into effect on the 26 October 2023, following Royal Assent. However, the failure to prevent fraud offence will only commence after ‘reasonable procedures’ guidance has been issued and is expected to be early in the new year.

The new, relaxed doctrine in respect of prosecuting corporates for economic crime will come into effect towards the end of December.

Commentary

• The restriction of the offence’s application to large organisations – which comprise less than 1% of commercial businesses in the UK – came in for some criticism, especially from the Lords. Parliament decided that to widen the ambit may place an unnecessary financial burden on SMEs. It remains to be seen if this will be exploited as a potential loophole by criminal organisations. Interestingly, the act gives the secretary of state the power to change the definition of a ‘large organisation,’ and even to omit it from Section 199.
• The definition of an ‘associated person’ is quite broad, as set out above. Some commentators have pointed out that this definition goes further than that of an ‘associated person’ in the Bribery Act. It effectively includes anyone acting on behalf of the organisation, including employees, vendors, service providers, sales agents, and third-party consultants. There is no doubt this will place a significant burden on the compliance functions at large organisations; however, it may well be that large organisations enforce the same guidance applicable to them on their ‘associated persons’ in various ways to manage their fraud risk, à la the implementation of the Bribery Act a decade ago.
• The relaxation of the ‘identification doctrine’ has extended regulatory and prosecution risk and made it easier to prosecute all organisations, of any size, for economic crime, including fraud, theft, false accounting, and bribery. At the very least, any organisation that wants to do the right thing should ensure it understands who would fall under the definition of a ‘senior manager’ in the act and review its prevention procedures frameworks.

Conclusion

Although only applicable to large organisations, the new corporate offence of failure to prevent fraud effectively requires all organisations to revisit their approach to how they prevent fraud being committed by employees or agents. A fraud risk assessment and effective risk-based approach are fundamental in establishing a proportionate anti-fraud programme and procedures that would be considered ‘reasonable’ to prevent fraud.

If the organisation is in any doubt that its anti-fraud programme would satisfy the requirements of the new legislation, now would be the time to conduct a fraud risk assessment and consider what additional policies, procedures and controls should be incorporated to mitigate fraud risk and enhance protection against potential prosecution under the new act.

For more information, please contact Flip Stander.