Overview

The UK Bribery Act 2010 introduced the ‘failure to prevent’ approach to corporate criminal liability; and The Criminal Finances Act 2017 contains ‘failure to prevent the facilitation of tax evasion’ offences.

The Economic Crime and Corporate Transparency Act (ECCTA) 2023 introduced the risk of prosecution for non-compliant 'large organisations' whose associated persons (e.g., employees, agents or subsidiaries) commit fraud, intending to benefit (whether directly or indirectly) the large organisation.

The ECCTA received Royal Assent on 26 October 2023.

Large Organisation

A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) assets of more than £18 million.

ECCTA 2023

Sec.199 of ECCTA provides that a large organisation which fails to maintain reasonable procedures designed to prevent fraud by an associated person, could be prosecuted in the criminal courts.

The 'Failure to Prevent Fraud Offence' is expected to come into force in late 2024 or 2025. The delay is to allow:

The Government to consult on the content of guidance to be introduced on ‘reasonable fraud prevention procedures’ and the failure to prevent offence.
Companies sufficient time to prepare for the new requirements.

Strict Liability

When implemented the failure to prevent fraud offence provides that a large organisation could be strictly liable if:

a specified offence is committed by an employee or other associated person (e.g., contractor, intermediary or agent);
the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation (e.g., customers and clients); and
the organisation did not have reasonable prevention procedures in place to prevent the fraud from arising.

The offence will also apply to a parent entity where the parent and its subsidiaries meet, in aggregate, two or more of the large organisation criteria.

Timeline Consideration

The Conservative Government had been expected to issue guidance on reasonable procedures, prior to the failure to prevent offence entering into force. It is currently unclear whether the timeline will be impacted following the General Election and change to a Labour Government, in July 2024.

What's the impact?

Prosecution Risk

A large organisation could be liable where an employee (or agent) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:

There would be no requirement to demonstrate senior management knowledge of an employee or agent committing a specified offence.
Criminal liability could apply to organisations which fail to assess and respond to the risk of fraud involving employees or agents.

If an employee of a large organisation commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.

Whether or not a person performs services for or on behalf of an organisation will be determined by the relevant circumstances and not merely by reference to the nature of relationship between that person and the organisation.

Regulatory Risk

Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6]

A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity if significant non-compliance is identified with a legal or regulatory requirement.

Internal Control Risk

The failure to prevent fraud offence under criminal law will apply to all 'large organisations'. When passed, the new Act will:

Discourage organisations from turning a blind eye to fraud events.
Encourage implementation and maintenance of reasonable fraud prevention procedures (e.g., using a risk-based approach).
Make it easier to prosecute non-compliant organisations in the criminal court.

Is there a defence?

Reasonable Prevention Procedures

Sec.199 (4) of the ECCTA 2023 suggests a defence may be available to the ‘failure to prevent fraud’ offence, where a large organisation can prove that, at the time the fraud offence was committed:

the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or
it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.

Whether current arrangements are sufficient requires consideration of how a large organisation could be linked to a specified offence and assessing whether existing controls would be considered reasonable.

It may be reasonable to have no prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).

Risk Assessment

An appropiate defence would involve documenting an assessment of where fraud risk might be present in a large organisation's operating environment.

Examples of areas to review/assess include:

Tone-from-the top (e.g., Policy content).
Management information (e.g., Key risk indicators).
Understanding of the risks (e.g., Fraud typologies).
Internal controls (e.g., Effectiveness of fraud prevention measures).
Transaction risk (e.g., In supply and distribution activity).
Funds flow (e.g., Transparency and legitimacy).
Use of agents or intermediaries (e.g., Contract terms and conditions).
Staff awareness of fraud (e.g., Training content and completion rates).
Whistle-blowing (e.g., suspicion and incident-reporting arrangements).

Risk Response

A large organisation's response to assesed risk should reduce opportunity for fraud-related events, incorporating measures to manage, eliminate, or limit the impact of risk-events. An effective response could include:

Board or senior management team engagement.
Risk-based procedure to reduce opportunity for misconduct.
Clarity of responsibility for risk-ownership, oversight and testing of, the application of policy and procedure.
Raising staff awareness of fraud risk.
A mechanism for staff to report suspected misconduct.
Reporting to senior management on key risk indicators and control testing.
Escalation and reporting of notifiable events.
Routine review/refresh of applicable policy and procedure.
Obtain specialist support / assistance where necessary.

Additional context

SYSC326

Government guidance should aid organisations' to identify measures to introduce, or action(s) to take in order to provide (or evidence) reasonable prevention / internal defence arrangements.

Guidance will not be prescriptive. Large organisations will be expected to assess the measures required for their particular operational framework.

The content of reasonable procedures for company 'A' may not be suited to company 'B', due to differences in organisational structure, operations, control environment or product/service offering.

SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:

Supporting stakeholder planning for the new failure to prevent offence.
Advising on fraud control framework design and implementation.
Facilitating fraud risk-assessments.
Supporting development of policy and risk-based operating procedure.
Supporting Compliance monitoring and assurance testing arrangements.

To contact SYSC326 - Click Here

Failure to Prevent