On 26 October 2023, the Economic Crime and Corporate Transparency Act 2023 (the "Act")1 received royal assent and became law. The Act builds on the Economic Crime (Transparency and Enforcement) 2022 Act2, which was introduced in light of Russia's invasion of Ukraine, and which we discussed in this previous alert. The Act introduces a number of wide ranging reforms to tackle economic crime and improve transparency over corporate entities3, including:
- a new strict liability offence of failure to prevent fraud for large corporates; and
- an amendment to the identification principle to make it easier to prosecute companies and partnerships for certain economic crime offences.
"Our current system for holding corporations liable for conducting crime is based on legislation that has become antiquated. We must adapt to the challenges posed by modern practices and sophisticated criminality. With the tabling of this reform, we are doing just that." Rt Hon Tom Tugendhat, Security Minister
These two reforms form part of the UK Government's Economic Crime Plan 24 and Fraud Strategy5, and serve to reinforce the importance of effective fraud risk management. Companies should reflect on the adequacy of their fraud risk management framework and the implications of failing to implement "reasonable procedures" to mitigate fraud.6
The amendment of the identification principle comes into force immediately. However, the strict liability failure to prevent offence will only come into force after the government has published guidance on the "reasonable procedures" defence to the offence (see section 1 below for further detail).
In light of these two legislative changes, which we discuss in more detail below, we recommend that organisations:
- Review and reinforce existing risk assessments with particular reference to relevant fraud risk;
- Review and reinforce their:
- policies, procedures and controls to mitigate identified fraud risk;
- whistleblowing program;
- third party contractual documentation;
- third party (including subsidiary) oversight;
- use of data analytics;
- monitoring of fraud risk on an ongoing basis; and
- internal audit program;
- Identify "senior managers" whose acts may lead to the organisation's liability for certain economic crimes (see section 2 below). Ensure that these senior managers are aware of identified fraud risks and applicable policies and procedures; and
- Seek to create an organisational culture and governance structure to address fraud risk.
Mayer Brown can assist with taking these steps, leveraging our expertise and experience in conducting analogous large-scale risk analysis exercises, as well as ensuring policies and processes are adequate for the new requirements.
If you have questions, or would like to find out more about how we can help, please contact Alistair Graham, Sam Eastwood, Chris Roberts, Findley Penn-Hughes, or Hormis Kallarackel.
1. New failure to prevent fraud offence
The new offence is unusual and potentially very significant because it is a strict liability criminal offence.
It builds on the existing offences of failure to prevent bribery under the Bribery Act 2010 and failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017. The new offence will come into force only after the government has published guidance on the "reasonable procedures" defence to the offence (see further detail below).
The offence only applies to larger companies and partnerships (the "organisation") which meet at least two of the following criteria in the financial year preceding the year of the fraud offence:
- more than 250 employees;
- more than £36 million turnover; and/or
- more than £18 million in aggregate assets on its balance sheet.
The offence will also apply to organisations which are the parent undertaking of a group which meets at least two of the following criteria in the financial year preceding the year of the fraud offence:
- an aggregate turnover of over £36 million net (or £43.2 million gross);
- aggregate balance sheet total of over £18 million net (or £21.6 million gross); and/or
- more than 250 aggregate employees.
An organisation which meets two of these criteria is defined as a “large organisation” under the Act and will be liable under the new offence if it fails to prevent a specified fraud offence where (i) an "Associated Person" of the organisation commits the fraud; and (ii) the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.
"Associated Person" is defined as an employee, agent or subsidiary of the organisation (as well as any others who perform services for or on its behalf). This is broader than the definition in the Bribery Act 2010, which includes a rebuttable presumption that an employee is an Associated Person, but in relation to agents and subsidiaries applies a test as to whether the associated person actually performs services for or on behalf of the organisation in the relevant circumstances.
The failure to prevent fraud offence has wide extraterritorial effect. If an Associated Person commits fraud under UK law, or targeting UK victims, the organisation could be prosecuted, even if the organisation (and the Associated Person) are based overseas.
Specified fraud offences are listed in Schedule 13 to the Act and include fraud by false representation, fraud by abuse of position, and fraud by failing to disclose information. The Secretary of State is empowered to pass secondary legislation to add or remove offences from this schedule.
The organisation will only have a defence if it can show it either had "reasonable procedures" in place to prevent the fraud, or that it was not reasonable for the organisation not to have such procedures in place. The government is required under the Act to publish guidance on what it considers to be adequate in this regard. This is the same as happened with the strict liability corporate offence of failure to prevent bribery, when the Bribery Act 2010 came into force.
Organisations within scope of the new offence will need to carry out risk assessments to re-examine their fraud detection and prevention processes against any new statutory guidance. If that guidance aligns with the guidance for the existing failure to prevent bribery and facilitation of tax evasion offences, this will include implementing:
- regular risk analysis, which is kept under review;
- anti-fraud policies and processes supported by appropriate training;
- financial, commercial and accounting controls; and
- whistle blowing program.
Such organisations can leverage already existing policies and procedures, such as their anti-bribery policies and procedures.
The assumption that agents and subsidiaries are assumed to be Associated Persons means that organisations should ensure that the same level of fraud detection and prevention processes are in place for those entities. This does, however, present a tension for UK-based multinational corporations, following the 2021 Supreme Court decision in Okpabi v Shell7, which we discuss in detail in this update:
- On the one hand, by being actively involved in the establishment and monitoring of its foreign subsidiary's fraud prevention program, a UK-based parent company could risk establishing a gateway for claims relating to the activities of its subsidiary in the foreign jurisdiction to be brought before the English courts (rather than the local courts);
- Conversely, if the parent company does not ensure that its fraud prevention program is properly implemented by its subsidiaries, it runs the risk of criminal prosecution under the failure to prevent fraud offence.
Ultimately, the most effective way of addressing both sets of risks is by having an effective group compliance program in place which is properly implemented and audited by the parent company, thereby reducing the likelihood of events occurring which could give rise to either a failure to prevent fraud offence, or large-scale group actions as in Okpabi.
2. Reform to the identification principle
The current framework for corporate criminal liability applies the "identification principle". This states that, where a mental state is a required element of an offence, only the mental state of a person representing the "directing mind and will" of a corporate can be attributed to that corporate.8 Establishing this has proved challenging for the SFO to make out in its prosecutions, which was highlighted in the 2018 decision in SFO v Barclays9.
The Act addresses this through the following reforms, which together should make it more straightforward for the SFO successfully to prosecute corporates for economic crimes:
- Corporate liability: An organisation will be guilty of a "relevant offence" (discussed further below) if that offence is committed by a "senior manager" of the organisation acting within the actual or apparent scope of their authority.
- Definition of "senior manager": "Senior manager" is defined as an individual who plays a significant role in either (a) the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised, or (b) the actual managing or organising of the whole or a substantial part of those activities.
- Definition of "relevant offence": A "relevant offence" is one of the offences listed at a new schedule to the Act. This list includes bribery, tax, fraud and false accounting offences. A "relevant offence" also includes attempt, conspiracy, encouraging or assisting, aiding, abetting, counselling or procuring the commission of an offence listed in the schedule.
- Geographic scope: Where no act or omission forming part of the relevant offence takes place in the UK, an organisation will not be guilty of an offence unless it would be guilty of the relevant offence in the country where it was committed.
Corporates should consider who in their organisation could fall within the definition of "senior manager", given that the acts and omissions of such "senior managers" could result in the corporate being criminally liable for any offence such senior manager commits. Corporates should ensure that appropriate corporate governance processes to prevent economic crime are in place, particularly in relation to individuals who could be considered "senior managers". We set our recommendations in this regard in more detail in our previous alert on this subject. In summary, organisations should:
- identify individuals who could be considered senior managers, and provide regular training to them on prevention of the potential offences;
- conduct risk mapping exercises to identify business units with high-risk of potential economic crime, such as procurement;
- undertake regular monitoring, and imposing segregation of duties;
- maintain an independent internal audit function; and
- implement a robust whistleblowing program.
The new failure to prevent fraud offence and reform of the identification principle are potentially powerful new tools for the new (as of September 2023) Director of the SFO, Nick Ephgrave. We will continue to monitor and publish further alerts on the government's ongoing efforts to enhance the SFO's ability to prosecute economic crimes, such as the new independent review into how the disclosure regime is working in a digital age and whether the current fraud offences are fit for the purpose of investigating and prosecuting modern fraud.10
3 These include registration and transparency requirements to limit the risk of limited partnerships being used for illicit activities; enhanced powers for Companies House in relation to company filings that appear to be erroneous, anomalous or suspicious (more detail in the Companies House publication); and broadened criminal confiscation powers to include cryptoassets.
8 Tesco Supermarkets Ltd v Nattrass  UKHL 1.
9 The Serious Fraud Office v Barclays Plc & Anr  EWHC 3055 (QB)