Managing corporate crime risk under the Economic Crime and Corporate Transparency Act 2023

The objective of these reforms is to make it easier to prosecute companies for fraudulent activities and economic crimes committed by their managers, employees, subsidiaries, and service providers. This guide provides a summary of the reforms and their significance.

A new “reasonable procedures” defence is applicable to the failure to prevent offence. This guide provides a methodology and template for conducting a risk assessment as part of the steps to develop a reasonable procedures defence.

Corporate criminal attribution for economic crimes

From 26 December 2023, organisations will commit fraud and other economic crimes if any “senior manager” commits those crimes in the discharge of their role or in the course of their work.

Senior managers are individuals who play a significant role in: the making of decisions about how the whole or a substantial part of the activities of an organisation are managed or organised; or the actual managing or organising of the whole or a substantial part of those activities. The definition is sufficiently wide to extend to regional directors and even project managers depending on the size and importance of a project to the organisation.

The threshold for corporate criminal attribution is lowered for offences under a number of statutes, notably the: Theft Act 1968; Fraud Act 2006; Bribery Act 2010; Customs and Excise Management Act 1979; Forgery and Counterfeiting Act 1981; Value Added Tax Act 1994; Financial Services and Markets Act 2000; Financial Services Act 2012; Sanctions and Anti-Money Laundering Act 2018, in respect of money laundering and terrorist financing; international sanctions regulations; and the Proceeds of Crime Act 2002.

This legal reform is in addition to the failure to prevent fraud offence that has been introduced and applies to all body corporates, partnerships and similar organisational structures.

Why is this significant?

Organisations are significantly more exposed to committing primary economic crime offences than they were. The previous law of corporate criminal attribution only extended corporate criminal liability for fraud, theft, bribery and other offences, which required dishonest intent, to the actions of the “directing will and mind” of the organisation. In practice, this was often limited to the managing director or majority owner when they were also involved in the running of the company.

For example, under the Bribery Act 2010, the involvement in bribery of an overseas project manager would previously have given rise to the risk of corporate criminal liability for the secondary offence of failing to prevent bribery (section 7), for which there is a statutory defence of having in place adequate procedures and to which mandatory debarment does not apply, but not liability under section 1 of the Bribery Act 2010  (giving a bribe).

From 26 December 2023, the organisation which employed the project manager is at an increased risk of the primary offence of actual bribery contrary to section 1 of the Bribery Act 2010, for which there is no adequate procedures defence and to which mandatory debarment is applicable. There is also an increased risk of corporate liability where a senior manager receives a bribe contrary to section 2 of the Bribery Act 2010.

While there is not a reasonable procedures defence available, risk assessing the increased risks of corporate criminal liability from this reform, with the aim of enhancing preventative measures, is recommended.

Corporate criminal failure to prevent fraud and other economic crimes

The new UK corporate criminal offence of failure to prevent economic crimes, including but not limited to fraud, will make “large” body corporates and partnerships criminally liable for the acts of a person associated with them who commits an economic crime for the organisation’s benefit or for the benefit of any person to whom the associated person provides services on behalf of the organisation – for example, a customer.

Associated persons include employees, agents, subsidiaries, or any other person performing services ‘for or on behalf’ of the organisation. This definition could extend to suppliers when they provide ancillary services, agents, distributors, advisers, brokers, contractors, consultants, and joint venture partners.

For corporate criminal liability to apply in this context, the associated person must have intended to benefit either: the organisation for which they are working or providing services for and on behalf of; or another group company, a customer or client of the organisation who the associated person provides services to on behalf of their employing organisation.

In addition, a parent company is criminally liable for failing to prevent an economic crime by an employee of a subsidiary company where the fraudulent act was intended to benefit the parent company. However, liability is not triggered where the organisation is the intended victim of the associated person’s conduct.

The failure to prevent economic crimes offence applies to all UK-incorporated bodies or foreign-incorporated bodies that carry on a business or part of a business in the UK, subject to them meeting two or more of the following thresholds either individually or, with respect to parent companies, where the subsidiaries in aggregate meet the statutory thresholds: a turnover of more than £36m; a balance sheet total of more than £18m; and/or more than 250 employees.

Unlike the Bribery Act 2010 and the Criminal Finances Act 2017, extra-territoriality is not specifically provided for. However, the Criminal Justice Act 1993 had already extended UK jurisdiction for fraud and other economic crimes to where a “relevant event” occurred in the UK, including, for example, causing gain or a loss to another in the UK. The UK government’s factsheet on the failure to prevent fraud offence gives the following example: “If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”

The failure to prevent offence does not apply as broadly as the reform to corporate criminal attribution but it still far reaching in is application because it applies to the following economic crimes: 

• Fraud Act 2006: fraud by false representation; fraud by failing to disclose information; fraud by abuse of position; participating in a fraudulent business; obtaining services dishonestly;
• Theft Act 1968 / Theft Act (Northern Ireland) 1969: misappropriating property – including electricity, gas, and water; false accounting/misleading underlying records; false statements by company directors to deceive members or creditors;
• Companies Act 2006: fraudulent trading, meaning to carry out business for any fraudulent purpose;
• cheating the public revenue; and
• Scots common law fraud, uttering – presenting a misleading document, and embezzlement.

Why is this significant? 

The UK’s corporate criminal failure to prevent offence model extends significantly beyond bribery and the facilitation of tax evasion to a broad range of economic crimes. Parent company liability is also significantly greater than under the Bribery Act 2010.These reforms have resulted, in part, from lobbying by the UK Serious Fraud Office. It is likely that corporate criminal enforcement will be an increased area of focus.

Reasonable procedures defence

It will be a defence to the failure to prevent economic crimes offence if the organisation can prove that it had reasonable prevention procedures in place, or that it was not reasonable in all the circumstances to expect it to have had any procedures in place. The offence will come into force when the UK government publishes statutory guidance on the reasonable procedures organisations should consider putting in place.

It is likely that the government’s guidance will follow the “six principles” recommended by existing statutory guidance for failing to prevent bribery or the facilitation of tax evasion.

The six principles are:

• top-level commitment;
• risk assessment, documented;
• proportionate procedures;
• due diligence;
• communication and training;
• monitoring and review.

Why is this significant? 

The failure to prevent offence may come into force on publication of the guidance or shortly thereafter.

The six principles are well known but need to be adapted in their application to this new wide-ranging offence.

Responding to the failure to prevent economic crimes offence

There are no compliance duties under the failure to prevent economic crimes offence, but many organisations will wish to be in position to avail themselves of the reasonable procedures defence. This will lead to contractually imposed warranties down supply chains requiring organisations to have in place reasonable fraud and economic crime prevention procedures.

It is therefore recommended that organisations have a reasonable procedures project plan. There are three stages to such a plan.

Stage 1: initial planning phase 

Top level commitment: 'top level commitment' will likely be a key principle of the reasonable procedures defence. The instigation of a project to develop reasonable procedures should have board or relevant committee/senior manager support with appropriate resources allocated to the exercise and any risk assessment and recommendations being reviewed and approved at a high level within the organisation. Meeting minutes should be kept, recording the board/committee approval and support of the project.

Forming a project team: depending on the size and structure of the business, to manage the project effectively, establishing an internal project delivery team will be helpful. For larger businesses, the team may comprise compliance, financial crime, and legal representatives. External legal or professional support is recommended to bring expertise and outside perspective to the exercise. Organisations may also wish to consider the application of legal privilege to the risk assessment exercise to protect sensitive findings from disclosure – this would require the taking of legal advice before commencing the review work.

Training for the project team: understanding the underlying offences to which the new laws apply will be informative to the review work. The project delivery team should receive training on the corporate criminal attribution reforms and the new failure to prevent economic crimes offence and the predicate, underlying, offences prior to commencing the review work.

Project plan: a project plan should be developed which will determine the scope of the review – for example, whether group wide or limited to specific subsidiaries or divisions, geographies, or key projects – , as well as the timeline, and budget for the project. It would be reasonable for businesses to start by conducting an overarching group level review before conducting deeper dives at a business unit or country level.

Stage 2: the risk assessment – planning, execution and review 

Having a documented risk assessment is likely to be a key pillar of the reasonable procedures defence. The focus of the risk assessment is the risk of associated persons of the organisation engaging in the prescribed economic crimes to benefit the organisation, the group, or its customers, rather than the risk of internal fraud against the organisation.

Planning and execution: the risk assessment needs to identify where the risks might exist – the inherent risk – and what existing controls are in place. The existing controls should operate to manage and reduce the level of inherent risk, enabling the business to identify the residual risk. This will allow a decision to be taken on whether enhanced controls are required to reduce the residual risk further.

Existing risk assessments and reviews: a starting point for a risk assessment is to consider what other relevant risk assessments are already in place for the failure to prevent the anti-facilitation of tax evasion, failure to prevent bribery offences, money laundering and modern slavery. These risk assessments are likely to contain useful content for informing a broader economic crime risk assessment. Businesses may also have reports and data on other reviews relating to tendering, contracting, and the effectiveness of financial controls which are likely to be informative.

Internal audit reports/past compliance review: internal audit reports and previous compliance reviews are often a useful source of information to collate and review when considering the effectiveness of the control environment. A point to check is whether findings and recommendations were followed through.

Whistleblowing/speak up reports/disciplinary investigations: reviewing any past reports of suspected or alleged fraud, theft or other economic crimes would also be helpful. This information will be found in past disciplinary investigations and whistleblowing management information.

Workshops: workshops with relevant personnel to identify how economic crimes to benefit the business, the group or its customers could materialise is recommended. Relevant personnel are likely to include:

• executive directors and business division leaders – what is their assessment of the business culture? What risk areas/activities do they consider would benefit from being reviewed? Are there any profit enhancement strategies that should be reviewed? What can they point to by way of top-level commitment to the prevention of economic crimes to benefit the business?
• compliance/financial crime – what lessons are there from the broader compliance/financial crime programme? What is their assessment of the business culture? Where do they perceive the risks to be?
• legal – what allegations of fraud and other economic crimes have they seen from past civil disputes? Has civil fraud ever been alleged against the company? Are they aware of any past criminal allegations against the company or any individuals? Are there any risks of potential compliance with contractual pricing terms?
• HR – have fraud allegations been raised in past disciplinary or whistleblowing reports? Are bonus and incentive schemes at risk of encouraging fraudulent or dishonest practices? Are there any risks around the accuracy of statements in applications/paperwork for visas and other work approvals?  
• internal audit – have any risks concerning fraud, theft, financial statements, allocation of costs between contracts, or governance been identified in past internal audit exercises? What control weaknesses have they identified that would benefit from being looked at again?
• finance – are there any risks around the preparation of management accounts and statutory accounts which would benefit from being reviewed? Are there any invoicing practices that need to be looked at? How confident are they in the company’s revenue recognition practices? Are they aware of any questionable cost allocation practices? What controls are there around the accuracy of audit representations?
• sales functions – what controls are there around the accuracy of statements in sales materials, proposals and tender documents? Hypothetically, if a salesperson wanted to secure a contract or bid, is there a way they could do so fraudulently, for example, by putting false information in a bid? What controls are there to prevent that from occurring?
• team/site/office project leaders – hypothetically, if there was a team leader who was under pressure or wanted to increase revenues and profits or to hit certain metrics, how would they achieve it by means of a fraudulent practice? Are there any risks of such things as inflated timesheets, double counting services or products when invoicing, or movement of costs between contracts? Is there any risk of not adhering to “open book” provisions or contractual terms on “cost plus” contracts? Are there any risks of theft/misuse of materials allocated to a project or which a customer has paid for? Are there any risks of diversion or misuse of utility supplies – water, electricity, gas – at office, site, or project level?
• costs/billing teams – if a project or team wishes to engage in over-charging is there any means to do it? What controls would prevent that from arising? 

When planning the risk assessment workshops, key risk areas to consider are: 

• employee risks – where are the key areas where an employee might engage in fraudulent practices to benefit the business? Which employees may have an incentive or the means to commit fraud to benefit the company?
• service providers/contractor risks – are there specific categories of service providers who pose a higher risk, for example intermediaries, brokers, and advisors in higher risk countries? 
• site/location risk – are there any sites/locations which may be a higher risk for the misuse of equipment or utilities?
• country risk – are there higher risks of fraud/economic crimes associated with operations outside of the UK? For example, any increased risk of false statements around obtaining visas, duty declarations, licences to operate, currency controls?
• M&A risk – does financial crime due diligence need to be expanded in a deal context to reduce the risk of the company inheriting a risk via an acquisition?
• sales risk – is there a higher risk associated with any of the products, goods or services offered by the business? For example, where sales and marketing materials may be called into question? Are false statements in tenders a risk area?
• contracting risk – is there any risk that the terms on which the business is contracting with customers cannot be adhered to? Is the business engaging in public sector contracts with open book provisions? Is there a risk of non-adherence with those terms? Are there any risks with discounts or rebate structures?
• higher risk communications – are there any risks concerning the accuracy of statements to regulators, auditors, insurers, banks and investors?
• fraudulent trading risk – could any business practices be viewed as dishonest by creditors or customers?
• controls – what controls currently exist within the business to reduce the inherent fraud risks that have been identified – for example, tender rules; dual sign off arrangements; divisions of responsibilities; other governance and oversight approvals; on-boarding systems/controls/due diligence for service providers; contractual controls; financial controls; whistleblowing procedures; training; and internal compliance reviews and audits.

Stage 3: developing reasonable procedures 

The risk assessment will inform the procedures that are reasonable for the business to put in place. Many organisations will already have procedures in place for risk areas which are likely to be capable of being extended to address wider economic crime risks.

A reasonable procedures framework should be developed, proportionate to perceived risk. It might include:

• documented risk assessment which is reviewed and updated;
• code of ethics/conduct to cover the new failure to prevent economic crime offence and/or a group-wide financial crime policy statement and guidance;
• compliance procedures covering economic crimes;
• delegations of authority; divisions of responsibility; and dual authorisations;
• tender and bid content assurance;
• accuracy assurance of sales materials;
• employee recruitment checks;
• bonuses and incentives scheme to reflect the importance of integrity and ethics;
• third party due diligence to address broader financial crime risks through, for example, increased adverse media screening;
• monitor adherence with contractual terms, particularly open book/good faith terms;
• financial controls including assurance and monitoring of time recording, accounting for materials, billing practices;
• assurance of statements to regulators, auditors, insurers, banks, creditors and shareholders;
• communications and training to employees and higher risk associated persons about the new economic crime offence and policy adaptations;
• additions to compliance monitoring framework;
• internal audits and external reviews.

For further information, please contact one of our specialist corporate crime experts, Stacy Keen, Neil McInnes, or Tom Stocker; and for financial controls, forensic accountant Hinesh Shah.