May 08, 2024

UK corporate criminal liability: changes so far and changes coming – have you prepared?

Share

On 26 October 2023, the Economic Crime and Corporate Transparency Act 2023 (the "Act" or "EECTA")  received royal assent and became law. The Act introduced a number of changes, some of which came into effect immediately and others which are still due to be implemented. Our previous updates have covered (i) how the anticipated key changes in the then Bill would change the operation of attribution of criminal liability to corporates for certain economic crimes, (see UK corporate criminal liability: reform of the identification principle); and, (ii) the immediate changes introduced when the Act first became law (see Economic Crime and Corporate Transparency Act 2023 becomes law).

Now we are almost six months on, it is time to take stock of the current position under the Act, what may happen in the near future, and steps corporates can take.

Why did these reforms come about?

Fraud is the most common offence in the UK. As the Government's 2023 Fraud Strategy notes, "Fraud now accounts for over 40% of crime but receives less than 1% of police resource."1

The Act seeks to help combat this by, for example:

  • holding organisations to account if they profit from fraud committed by their employees;
  • improving fraud prevention;
  • protecting victims;
  • strengthening existing powers to fine and prosecute organisations and their employees for fraud by closing loopholes that have allowed organisations to avoid prosecution in the past;
  • driving a major shift in corporate culture to help reduce fraud.2

This article will cover:

  • changes that have already come into effect, namely:

    1. reform of the identification principle;
    2. widened powers for the Serious Fraud Office ("SFO");
    3. the first set of expanded powers for Companies House; and

  • changes that are yet to come into effect, namely:

    4. the second set of expanded powers for Companies House:;
    5. the new failure to prevent fraud offence; and
    6. changes to help combat crypto-related criminal activity.

Changes that have already come into effect
1. Reform of the Identification Principle

Historically, where the mental state of the defendant was a required element of an offence, only the mental state of a person representing the "directing mind and will" of a corporate could be attributed to that corporate. Establishing this has proved challenging for the SFO in its prosecutions especially of large corporates.3 

Under section 196 of the new Act, as of 26 October 2023, the identification principle has been amended for certain specific offences such that corporate liability will be attributed to a corporate where a "senior manager" commits a "relevant offence" – where a "relevant offence" is one of those listed in Schedule 12 of the Act. "Senior manager" is defined as an individual who plays a significant role in either (a) the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised, or (b) the actual managing or organising of the whole or a substantial part of those activities.4

This means that we now have two parallel identification principles in effect. Currently, if a corporate is being prosecuted for one of the economic crime offences in Schedule 12 of the Act, prosecutors will be looking at whether the individual with mens rea is a "senior manager". If the offence is not one of those listed, the prosecutor will be looking at whether the individual with mens rea is the "directing mind and will" of the corporate.

One potential further development to note is that section 16 of the Criminal Justice Bill (the "Bill") currently before Parliament seeks to expand the "senior manager" approach to all criminal offences. We do not yet know if this will indeed be passed into law but, if it is, the "senior  manager" approach to corporate criminal liability will apply to all criminal offences – not just the offences listed in Schedule 12 of the Act (which, along with section 196 itself, would be repealed if this new provision becomes law).

Section 16 of the Bill currently states: "Where a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence". If passed, this would mean that a company could be liable for any criminal offence if a senior manager is found to have committed an offence within the scope of their actual or apparent authority. Whether this Bill or this specific provision will be passed is yet to be seen.

2. SFO's widened powers

The Act expanded the Serious Fraud Office's ("SFO") pre-investigative powers, originally granted by Section 2A of the Criminal Justice Act 1987. The expanded powers came into effect on 15 January 2024.

Previously, Section 2A gave the SFO the power to compel individuals and corporates to provide information at a pre-investigation phase in suspected cases of international bribery and corruption where there were "reasonable grounds to suspect" that an offence had taken place. Now, these powers can be used in domestic cases where there are "reasonable grounds to suspect" that fraud, bribery or corruption.5

Also of note is the expansion of the SFO's existing power to share information it obtains using its compulsory powers with other agencies (per Section 3(5) of the Criminal Justice Act 1987) to include even those receiving agencies which do not possess equivalent pre-investigative powers.

3. Companies House: first set of expanded powers

Historically, Companies House's role has been one of passive recipient of data rather than an active manager of that data. The White Paper that was issued ahead of the new Act stated that Companies House would now be a "much more active gatekeeper over company creation and [a] custodian of more reliable information on the register.6 It said that the legislation would introduce new objectives for the Registrar to "promote and maintain the integrity of the register and to minimise the extent to which companies facilitate the carrying out of unlawful activities.

The first set of expanded powers became exercisable by Companies House as of 4 March 2024. The Registrar can now refuse to incorporate a company where, in the Secretary of State's view, the name could be used to facilitate certain crimes or where the name suggests a non-existent connection with a foreign government or an international institution.7 To protect other users of the company register, the Registrar also has the power to reject names which comprise or contain a computer code.8 Further, the Registrar has new powers to direct companies to change their names if they fall into these categories and the Registrar can replace a company's name with its company number on the register if it fails to act.9

Another power given to the Registrar is to share data with any persons for purposes connected with the Registrar's functions or with other public authorities for purposes connected with their functions. The Registrar's powers to remove material from the register have also been expanded and the Registrar now has greater powers to change the address of a company's registered office and take action against those who persistently fail to provide an appropriate registered office address.

Changes yet to come into effect
4. Companies House: second set of expanded powers

Further changes to Companies House authority will come into effect later in 2024, including the introduction of compulsory identity verification for all directors and People with Significant Control ("PSCs") of UK corporate entities. Identity verification requirements will apply to all new and existing registered company directors, PSCs and anyone else filing documents with the Registrar. For new directors, identity verification will need to take place before the company is formed, while PSCs will be required to be verified within a short time after incorporation.10

More detail on the process is awaited, but we know that there will be two types of identity verification: direct verification via Companies House or verification through an "authorised corporate service provider" (i.e. a person subject to the UK's money laundering regulations and who has registered at Companies House).

There will be a transition period for existing companies to comply with the requirements, but after that, anyone who was required to verify their identity but has failed to do so could be subject to criminal or civil proceedings They could also face incorporation of a new company being rejected and, for directors, prohibition from acting as a director.

5.  New failure to prevent fraud offence

A new strict liability corporate offence of failure to prevent fraud builds on the existing strict liability corporate offences of failure to prevent bribery under the Bribery Act 2010 and failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017.

The new offence only applies to "large organisations" i.e. those which meet at least two of the following criteria in the financial year preceding the year of the fraud offence:

  • more than 250 employees;
  • more than £36 million turnover; and/or
  • more than £18 million in aggregate assets on its balance sheet.

A corporate is also a "large organisation" where it is a parent undertaking of a group which meets at least two of the following criteria in the financial year preceding the year of the fraud offence:

  • an aggregate turnover of over £36 million net (or £43.2 million gross);
  • aggregate balance sheet total of over £18 million net (or £21.6 million gross); and/or
  • more than 250 aggregate employees.11

A "large organisation" is liable under the new offence if it fails to prevent one of the fraud offences specified in Schedule 13 of the Act where (i) an "associate" of the organisation commits the fraud; and (ii) the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.

"Associate" is defined as an employee, agent, subsidiary, or employee of a subsidiary of the organisation, as well as any others who perform services for or on behalf of the organisation.12

The offences listed in Schedule 13 of the Act include false accounting, fraud by false representation, fraud by abuse of position, and fraud by failing to disclose information. The Secretary of State is empowered to pass secondary legislation to add or remove offences from this schedule. Aiding, abetting, counselling or procuring the commission of one of the listed offences also amounts to an offence.13

The failure to prevent fraud offence has potentially wide extraterritorial effect. Unlike the failure to prevent bribery offence, there is no requirement for a company to be incorporated in, or carrying on a business or part of a business, in the UK for the failure to prevent fraud offence to "bite". The territorial effect of the failure to prevent fraud offence therefore flows from the territorial effect of the relevant underlying fraud offence in Schedule 13 of the Act. If an "associate" commits fraud under UK law, or targeting UK victims, the organisation could potentially be liable to be prosecuted, even if the organisation (and/or the associate) are based overseas.

The organisation will only have a defence if it can show it either had "reasonable procedures" in place to prevent fraud, or that it was not reasonable for the organisation to have such procedures in place.14

We await the Government's guidance on the "reasonable procedures" defence to the new failure to prevent fraud offence, which will assist organisations when designing and implementing those procedures. The failure to prevent fraud offence will only come into force some time (currently six months) after the guidance is published. It is currently anticipated the guidance will be published later this year.

6. Crypto-related criminal activity

The Act expands the powers available to law enforcement in respect of crypto-related criminal activity. This includes extending the confiscation and civil recovery regime under the Proceeds of Crime Act 2002 ("POCA") to cryptoassets, granting law enforcement agencies significant authority to seize, store, and potentially sell or destroy crypto-assets as part of investigations.15

Given that these expanded powers required amendments to POCA, secondary legislation has been enacted to that effect. The 'Proceeds of Crime Act 2002 (Search, Recovery of Cryptoassets and Investigations: Codes of Practice) Regulations 2024' were published on 23 January 2024 and came into force on 26 April 2024.

Comment

In light of the changes already introduced by the Act and those still pending, we recommend that organisations do the following.

  • Review and reinforce their:
    • policies, procedures and controls to mitigate identified fraud risk;
    • financial management systems, such as for managing expenses and payments to suppliers;
    • whistleblowing program;
    • training;
    • third party contractual documentation;
    • third party (including subsidiary) oversight;
    • use of data analytics;
    • monitoring of fraud risk on an ongoing basis; and
    • internal audit program;
  • Identify those captured by the new definition of "senior manager" whose acts may lead to the organisation's liability for the specified economic crimes;
  • Ensure that these senior managers are aware of identified risks and applicable policies and procedures; and
  • Seek to create an organisational culture and governance structure to address economic crime risk.

Mayer Brown can assist with taking these steps, leveraging our expertise and experience in major corporate criminal investigations, in conducting analogous large-scale risk analysis exercises, as well as in ensuring policies and processes are adequate for the new requirements.



1 Fraud Strategy: stopping scams and protecting the public, updated 1 June 2023 (https://www.gov.uk/government/publications/fraud-strategy/fraud-strategy-stopping-scams-and-protecting-the-public).

2 Factsheet: failure to prevent fraud offence, updated 26 October 2023 (https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/factsheet-failure-to-prevent-fraud-offence).

3 See, for example, the case of SFO v Barclays PLC & Anr [2018] EWHC 3055.

4 Section 196, Economic Crime and Corporate Transparency Act 2023.

5 Section 211 of the Act.

6 Corporate transparency and register reform, published 28 February 2022 (https://www.gov.uk/government/publications/corporate-transparency-and-register-reform).

7 Sections 8 - 9 of the Act.

8 Section 10 of the Act.

9 Sections 13 - 20 of the Act.

10 Sections 64 - 69 of the Act.

11 Sections 201 - 202 of the Act.

12 Section 199(7) of the Act.

13 Section 199(6)(b) of the Act.

14 Section 204 of the Act.

15 Sections 179 – 181 of the Act.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe