The Economic Crime and Corporate Transparency Act: the clock is ticking for companies to prepare

Significant changes to the English law of corporate criminal liability have been introduced as part of the Economic Crime and Corporate Transparency Act 2023 (the Act), which received royal assent on 25 October 2023. Companies now face enhanced criminal risks (including potentially unlimited fines) in connection with conduct that previously might have remained in the civil Courts and raised expectations around compliance programmes. Companies now have a limited period of time to prepare for the changes presented by the new legal landscape. 

In this article we look at two key reforms to the law of corporate criminal liability introduced by the Act.

1. The Act has created a new offence of "failure to prevent" fraud, which is expected to come into force by the end of the first quarter 2024. This new offence is part of a wider reform of corporate criminal liability, but applies only to large organisations and their subsidiaries. 
2. The Act also expands the reach of the identification doctrine, which is the process by which the acts of individuals are attributed to a company, for the purpose of attributing criminal liability to the company for a broad range of economic offences. 

The changes are made in the context of an increased focus on fraud among regulators and prosecutors, particularly since Government statistics released in 2022 indicated that fraud accounted for 41% of all crime against individuals in England and Wales. The failure to prevent fraud offence is one tool being introduced to seek to address this rise in fraud and it will mark a sea change in the way large companies are expected to structure their compliance procedures with respect to fraud. At present, the vast majority of companies' fraud policies focus on the risk of a company losing money to fraud.

Companies should now start to review their compliance programmes in order to determine if they will need to be updated to ensure they cover the risk of the company and its associated parties defrauding others.

Set out below is:

1. an overview of the key elements of the new failure to prevent fraud offence and some practical examples of how this offence may apply to large companies in different circumstances, such as when making statements about the company's performance and/or green credentials and sales practices;
2. an overview of the changes to the test for corporate criminal liability and its likely impact on companies of all sizes; and
3. practical steps companies can take now to prepare for the coming changes. 

1. The failure to prevent fraud offence

The offence's mechanics

The failure to prevent fraud offence is set out in section 199 of the Act. Under the new offence, a large organisation (and its subsidiaries) will be liable if it fails to prevent an associated person committing a specified fraud offence where that fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.

Significantly, there is a total defence to the failure to prevent fraud offence where an organisation can demonstrate it had in place reasonable procedures at the time of the offending. 

It should also be noted that an organisation will not be liable for the offence in certain circumstances where it can show it was the intended victim of the underlying fraud. 

Which fraud offences are in scope?

The fraud offences covered by the offence are set out in schedule 13 of the Act. They are wide ranging and include (as well as aiding, abetting, or procuring the commission of such offences) the following offences (along with further offences under Scottish and Northern Irish criminal law):

• Fraud by false representation (section 2, Fraud Act 2006);
• Fraud by failing to disclose information (section 3, Fraud Act 2006);
• Fraud by abuse of position (section 4, Fraud Act 2006);
• Participation in a fraudulent business (section 9, Fraud Act 2006);
• Obtaining services dishonestly (section 11, Fraud Act 2006);
• False accounting (section 17, Theft Act 1968);
• False statements by company directors (Section 19, Theft Act 1968);
• Fraudulent trading (section 993, Companies Act 2006); and
• Cheating the public revenue (common law).

In practice, this list of offences will capture a broad range of conduct. This will likely include statements made by companies in their financial documents and accounts, regulatory filings, sales materials, insurance claims and prospectuses. In all cases though, the underlying fraud offence must be made out, so a prosecutor would always need to establish dishonesty on the part of the perpetrator as a first step. Also, while the failure to prevent offence itself does not impose any jurisdictional limits on how closely connected to the UK the conduct must be, the jurisdictional limits of the underlying fraud offence must be met in any prosecution.

Which organisations are in scope?

As a starting point, the failure to prevent offence applies to companies and partnerships, wherever in the world they are incorporated or formed. However, there is an important limitation based on an organisation's size.

Prior to the Act receiving royal assent, a final area of debate between the Houses of Commons and Lords revolved around whether all companies and partnerships, regardless of size, should be in scope for the new offence. Ultimately, it was determined that the principal failure to prevent fraud offence only applies to "large organisations".

Large organisations are defined as organisations which in the financial year prior to the year of the offence, satisfy two or more of the following:

• Turnover of more than £36 million;
• Balance sheet total of more than £18 million; or
• More than 250 employees.

This does not, however, mean that companies that do not meet those thresholds are completely outside the scope of the new offence. Subsidiaries of large organisations, regardless of their size, will be liable for fraud offences committed by their employees (but not a wider group of associated persons) where the intention of the conduct was to benefit the subsidiary. This could mean that small, UK based subsidiaries of larger overseas companies may fall within the scope of the offence. 

Who is an associated person?

The definition of an associated person is similar to that under the Bribery Act 2010 but with some important distinctions. Like with the Bribery Act, a person who performs services for or on behalf of a company will be an associated person under the new offence. However, unlike under the Bribery Act, under the new offence, employees, agents and subsidiaries will automatically be associated persons of a company. This marks a change from the Bribery Act, particularly in the case of subsidiaries, where there is often real analysis to be performed as to whether they are in fact performing services on behalf of their parent company.

Who might be an associated person?

• Employees
• Agents
• Subsidiaries
• Advertisers hired by a company
• Brokers and sales agents acting for a company
• Professional advisers 

Hypothetical examples of the failure to prevent fraud offence

Let's consider three hypothetical scenarios alongside this new failure to prevent fraud offence.

Scenario 1 – Greenwashing in an annual report: A FTSE 250 UK consumer goods business claims in its annual report that the creation of its products is net-zero with respect to CO2 emissions. This statement was inserted by a team of analysts who knew it was not likely to be true when tested but wanted to satisfy shareholder demands around sustainability and the good press that would flow from making this statement. It is subsequently determined that this environmental claim is misleading. 

In this scenario, it would appear likely that the employees who made the statement were associated persons of the company and, subject to establishing dishonesty on their part, committed an underlying fraud offence. 

This is, therefore, likely to mean that the corporate (assuming it is sufficiently large and does not have in place reasonable prevention procedures) will have committed the offence of failing to prevent this fraud from taking place, even if no senior individuals in the company knew about it.

Scenario 2 – Misleading telesales scripts: A junior employee in the telesales team at a company selling boilers drafts a script that contains deliberately misleading statements about the safety record of one of the boilers he is trying to sell with the intention of increasing sales of the boiler. He uses that script when speaking to potential customers.

Even though the employee here is junior within the company, it is likely the boiler company (assuming it is sufficiently large and does not have in place reasonable prevention procedures) will be liable for the failure to prevent fraud offence on the basis of his conduct. 

Scenario 3 – Misleading search engine adverts: A search engine runs an advertisement for a carbon credit trading scheme that is identified as a sham.  

It is unlikely that the fraudster setting up the carbon credit trading scheme would be an associated person of the search engine company and would not be acting for the benefit of the search engine in creating this fraudulent scheme. Therefore, it is unlikely this would lead to a prosecution of the company that runs the search engine for failing to prevent this fraud.

2. Revision of the identification doctrine for economic crime offences

The failure to prevent fraud offence is just one way the Act seeks to reform the law around corporate criminal liability. Additional changes are also made under the Act to extend the scope of corporate criminal liability for all companies in relation to a range of wider economic offences.  These wider changes to the law of corporate criminal liability are explored below and will take effect sooner than the failure to prevent offence; from late December 2023. 

Currently, corporate criminal liability is generally established under English law by using the "identification doctrine". This is a legal test for determining whether the actions of a natural person can be attributed to a corporate to create criminal liability for the corporate. Under current law, the natural person in question must be the "directing mind and will" of the company for its actions to be attributed to the company.

The identification doctrine has been criticised for causing difficulty when prosecuting corporates as it has been very narrowly interpreted by the Courts. This has created significant challenges for prosecutors when pursuing large organisations in particular as they generally have multiple layers of management, so it is difficult to identify the directing mind and will. By way of example, the Serious Fraud Office's (SFO) prosecution of the Chief Executive Officer and Chief Financial Officer of Barclays Bank Plc, amongst other senior leaders, failed in 2020 as the Court found these individuals did not represent the directing mind and will of the bank. 

Section 196 of the Act is set to change this test for a wide range of economic crime offences to better reflect modern, complex corporate structures. The identification doctrine will remain as the test for attributing the action of an individual to a company, but the directing mind and will test will be replaced by a new test based on whether or not the individuals involved are considered to be "senior managers" of the company. A senior manager is defined as an individual who plays a significant role in the decision making, management or organisation of the whole or substantial part of the activities of a body corporate or partnership. This is likely to include a much broader range of individuals than those that make up the directing mind and will of the company.

The updated identification doctrine applies a list of offences set out in Schedule 12 of the Act which include theft, various fraud and tax offences, bribery offences under the Bribery Act, money laundering offences under the Proceeds of Crime Act 2002 and terrorist financing offences under the Terrorism Act 2000.

Unlike the failure to prevent fraud offence, this change will apply to all companies, with no limitations based on size. There will also be no defence based on preventative procedures. 

3. How organisations can start to prepare

Preparing for the failure to prevent fraud offence

The failure to prevent fraud offence will not take effect until statutory guidance is published on what can be expected of a company in implementing the reasonable prevention procedures required to establish a defence under the Act. That guidance is expected to be finalised before the end of the first quarter 2024, after which, companies may have only limited time to respond and prepare. 

What will the statutory guidance say?

The starting point for the statutory guidance is likely to be the guidance issued to support the Bribery Act in 2011 and the failure to prevent tax evasion offence in 2017. However, there are expectations that it will be updated and enhanced to reflect developments in corporate practice over the last decade, in particular the use of technology in compliance programmes. For example, we anticipate there could be direction on subjects that are absent from the Bribery Act guidance, such as how a company uses data analytics and management information to manage fraud risk and around how companies might investigate fraud issues internally.  

Updating the guidance in this way will be important. The more detailed and current the guidance, the more effective it is likely to be in assisting companies in combatting fraud. In recent years, agencies in other jurisdictions (particularly the US and France) have continued to provide increasingly up-to-date guidance on their expectations of companies' compliance frameworks. To provide guidance mirroring the guidance of the Bribery Act would risk perpetuating an outdated model and make the UK somewhat of an outlier in that respect. 

Even in advance of the guidance being published, organisations can take steps to prepare for the new compliance standards that will likely be created as a result of this new failure to prevent fraud offence. Steps that large organisations should consider taking include:

• Reviewing and assessing policies and procedures to determine whether there are pre-existing provisions relating to the prevention of fraud by employees, subsidiaries and agents against third parties. If there are not, organisations should decide how they wish to implement such policies and procedures through their existing compliance framework (e.g., updating an existing fraud policy).
• Giving consideration to where relevant risks and responsibilities for managing such risks sits within the organisation, given the wide range of conduct potentially caught by the new offence – from management of third parties, to tax matters, to preparing and filing accounts.
• Starting to map out communications and training plans to ensure companies are in a position to identify these new risks created by their associated persons, although the content may be further refined when the statutory guidance is published. 

Preparing for the changes to the identification doctrine

Companies should also take steps to prepare for the changes to the law around the attribution of corporate criminal liability. These changes will come into force sooner than the failure to prevent fraud offence, in late December 2023, and no guidance is expected prior to them taking effect.

The aim of the legislative change is to broaden the group of employees deemed senior enough to have their acts attributed to the company. Companies may begin preparations on that basis. 

Companies may wish to consider the following actions to address this expansion of the identification principle:

• Identify which employees are exercising management responsibilities and are therefore sufficiently senior to have their actions attributed to the company.
• Review existing records to determine whether that group has been fully trained in relation to the wide range of financial crime offences in the scope of this new law and whether any historical issues have arisen relating to the conduct of the employees at that level.
• Ensure that group of managers are properly trained in relation to a wide range of financial crimes and associated risks, including how the company communicates with that group around training.
• Review recruitment processes for the hiring of individuals into management roles to address the risks a particular individual may present in terms of compliance with criminal law.

4. Further steps in the Act to combat economic crime and enhance transparency 

The Act is a large, wide ranging piece of legislation and the corporate criminal liability reforms discussed in this article are only a small set of the changes being introduced.

One additional area of change that may have an impact on companies in the area of economic crime relates to an expansion of the SFO's pre-investigation powers of compulsion of evidence under the Criminal Justice Act 1987. 

Previously, the SFO was only able to use its powers of compulsion before opening a formal investigation, to assist in its determination of whether to commence such an investigation, in cases of potential bribery and corruption. The Act removes that limitation, allowing the SFO to use those powers of compulsion in respect of a wider range of economic crimes, including fraud.

These additional powers will be a useful tool for the SFO as it begins to look at potential cases using the new failure to prevent fraud offence and it may result in more section 2 Criminal Justice Act notices, more dawn raids, and ultimately more formal SFO fraud investigations now that a significant initial obstacle to getting them off the ground has been removed. 

Additionally, the Act introduces numerous changes relating to enhancing corporate transparency. Our colleagues in our Corporate team have considered some of those developments here.