The UK Bribery Act 2010 introduced the ‘failure to prevent’ approach to corporate criminal liability; and The Criminal Finances Act 2017 contains ‘failure to prevent the facilitation of tax evasion’ offences.
The Economic Crime and Corporate Transparency Act (ECCTA) 2023 introduced the risk of prosecution for non-compliant 'large organisations' whose associated persons (e.g., employees, agents or subsidiaries) commit fraud, intending to benefit (whether directly or indirectly) the large organisation.
The ECCTA received Royal Assent on 26 October 2023.
A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) assets of more than £18 million.
Sec.199 of ECCTA provides that a large organisation which fails to maintain reasonable procedures designed to prevent fraud by an associated person, could be prosecuted in the criminal courts.
The 'Failure to Prevent Fraud Offence' is expected to come into force in 2025. The delay is to allow sufficient time for:
When implemented the failure to prevent fraud offence provides that a large organisation could be strictly liable if:
The offence will also apply to a parent entity where the parent and its subsidiaries meet, in aggregate, two or more of the large organisation criteria.
A definitive implementation timeline is currently unclear, following the change in Government arising out of the July 2024 General Election.
Large organisations could benefit from the pre-implementation delay by completing a risk-assessment (i.e., identifying where 'associated persons' might have the capability and opportunity to carry out fraudulent activity).
A large organisation could be liable where an employee (or agent) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:
If an employee of a large organisation commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.
Whether or not a person performs services for or on behalf of an organisation will be determined by the relevant circumstances and not merely by reference to the nature of relationship between that person and the organisation.
Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6]
A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity if significant non-compliance is identified with a legal or regulatory requirement.
The failure to prevent fraud offence under criminal law will apply to all 'large organisations'. When passed, the new Act will:
Sec.199 (4) of the ECCTA 2023 suggests a defence may be available to the ‘failure to prevent fraud’ offence, where a large organisation can prove that, at the time the fraud offence was committed:
Whether current arrangements are sufficient requires consideration of how a large organisation could be linked to a specified offence and assessing whether existing controls would be considered reasonable.
It may be reasonable to have no prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).
An appropiate defence would involve documenting an assessment of where fraud risk might be present in a large organisation's operating environment.
Examples of areas to review/assess include:
A large organisation's response to assessed risk should reduce opportunity for fraud by 'associated persons' in the operating environment. An effective response could include:
Government guidance should aid organisations' to identify measures to introduce, or action(s) to take in order to provide (or evidence) reasonable prevention / internal defence arrangements.
Guidance will not be prescriptive. Large organisations will be expected to assess the measures required for their particular operational framework.
The content of reasonable procedures for company 'A' may not be suited to company 'B', due to differences in organisational structure, operations, control environment or product/service offering.
SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:
Before the new failing to prevent offence enters into force a public consultation is expected to be completed in 2024, on the content of guidance to be introduced on ‘reasonable fraud prevention procedures’, relevant to the new failure to prevent fraud offence
Employers meeting the large organisation criteria are advised to carry out an early assessment of the potential impact of the failure to prevent fraud offence, to inform senior management awareness of any next steps which may be required to, for example:
An organisation can receive an unlimited fine. Courts will take account of all the circumstances in deciding the appropriate level for a particular case.
The offence applies to all sectors but is targeted at large organisations – defined (using the standard Companies Act 2006 definition) as organisations meeting two out of three of the following criteria: more than 250 employees, more than £36 million turnover and more than £18 million in total assets.
Yes. Equivalent offences in Scotland and Northern Ireland will be included in the base offence list, with a power for the relevant Minister in Scotland or Northern Ireland to amend the list with regards to offences they are responsible for (devolved offences).
If an employee commits a specified fraud offence under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.
The failure to prevent fraud offence is intended to cover offences most likely to be relevant to corporations:
The government has not introduced a personal liability in the ECCTA for the failure to prevent fraud offence, where an individual did not consent or know of the offence happening.
Under pre-existing legislation, individuals can be prosecuted for committing, encouraging or assisting fraud (e.g., being knowingly involved).
The Companies Act 2006 also provides that a company director must:
Under the ECCTA an employing organisation could be prosecuted without having to demonstrate senior management knowledge or awarenes of an employee or agent committing a specified offence.
Where a director is found to have connived or conspired in the commisison of a specified criminal offence (e.g., theft or fraud), or to have failed to comply with certain Companies Act requirements, then he may be prosecuted under an applicable law (e.g., The Theft Act 1968, The Companies Act 2006, etc.,).