Failure to Prevent
The UK Bribery Act 2010 introduced the ‘failure to prevent’ approach to corporate criminal liability. The Criminal Finances Act 2017 also contains ‘failure to prevent the facilitation of tax evasion’ offences.
Now, the Economic Crime and Corporate Transparency Act (ECCTA) 2023 introduces the risk of prosecution for non-compliant 'large organisations' whose associated persons (e.g., employees, agents or subsidiaries) commit fraud, intending to benefit (whether directly or indirectly) the large organisation.
A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) assets of more than £18 million.
The ECCTA received Royal Assent on 26 October 2023.
Under Sec.199 of the ECCTA, a large organisation which fails to maintain reasonable procedures, designed to prevent fraud by an associated person, could soon be prosecuted in the criminal courts.
ECCTA provisions will come into force at a later date. The delay is to allow:
When implemented the ECCTA provides that large organisations could be strictly liable if:
The offence will also apply to a parent entity where the parent and its subsidiaries meet, in aggregate, two or more of the large organisation criteria.
The government is expected to issue guidance on reasonable procedures, prior to the failure to prevent offence entering into force.
A large organisation could be liable where an employee (or agent) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:
If an employee of a large organisation commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.
Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6]
A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity if significant non-compliance is identified with a legal or regulatory requirement.
The failure to prevent fraud offence under criminal law will apply to all 'large organisations'. When passed, the new Act will:
The Bribery Act 2010 provides a defence in law for the failure to prevent bribery offence. A similar defence will be available if a large organisation can show that despite a particular case of fraud, it nevertheless has reasonable prevention procedures in place to prevent persons associated with it from committing a specified offence.
Whether current arrangements are sufficient requires consideration of how a large organisation could be linked to a specified offence and assessing whether existing controls would be considered reasonable.
It may be reasonable to have no prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).
An appropiate defence would involve documenting an assessment of where fraud risk might be present in a large organisation's operating environment.
Examples of areas to review/assess include:
A large organisation's response to assesed risk should reduce opportunity for fraud-related events, incorporating measures to manage, eliminate, or limit the impact of risk-events. An effective response could include:
Government guidance should help inform a focus for what to consider for inclusion in an organisation's reasonable prevention or internal defence arrangements, but guidance is not prescriptive.
The content of reasonable procedures for company 'A' may not be suited to company 'B', due to differences in organisational structure, operations, control environment or product/service offering.
SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:
Before the new failing to prevent offence enters into force the government intends to conduct a public consultation in 2024, on the nature and content of guidance to be introduced on ‘reasonable fraud prevention procedures’, relevant to the new failure to prevent fraud offence
Employers meeting the large organisation criteria are advised to carry out an early assessment of the potential impact of the failure to prevent fraud offence, to inform senior management awareness of any next steps which may be required to, for example:
An organisation can receive an unlimited fine. Courts will take account of all the circumstances in deciding the appropriate level for a particular case.
The offence applies to all sectors but is targeted at large organisations – defined (using the standard Companies Act 2006 definition) as organisations meeting two out of three of the following criteria: more than 250 employees, more than £36 million turnover and more than £18 million in total assets.
Yes. Equivalent offences in Scotland and Northern Ireland will be included in the base offence list, with a power for the relevant Minister in Scotland or Northern Ireland to amend the list with regards to offences they are responsible for (devolved offences).
If an employee commits a specified fraud offence under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.
The failure to prevent fraud offence is intended to cover offences most likely to be relevant to corporations:
The government has not introduced a personal liability in the ECCTA for the failure to prevent fraud offence, where an individual did not consent or know of the offence happening.
Under pre-existing legislation, individuals can be prosecuted for committing, encouraging or assisting fraud (e.g., being knowingly involved).
The Companies Act 2006 also provides that a company director must:
Under the ECCTA an employing organisation could be prosecuted without having to demonstrate senior management knowledge or awarenes of an employee or agent committing a specified offence.
Where a director is found to have connived or conspired in the commisison of a specified criminal offence (e.g., theft or fraud), or to have failed to comply with certain Companies Act requirements, then he may be prosecuted under an applicable law (e.g., The Theft Act 1968, The Companies Act 2006, etc.,).
