Significant reform of UK corporate criminal law with legislation now passed

The Economic Crime and Corporate Transparency Act (the Act), which received Royal Assent last week, introduces a new offence of corporate failure to prevent fraud. Once official compliance guidance is published, “large organisations” will be criminally liable should they fail to prevent fraud and other economic crimes committed by associated persons, when the fraudulent conducted is intended to benefit the organisation. The new corporate criminal liability will not be triggered where the organisation itself is the victim of the offence.

Large organisations are commercial organisations which meet two or more of the following criteria: a net turnover of £36m or more; a net balance sheet of £18m; and 250 or more employees. Parent companies are caught if their group subsidiaries collectively meet these thresholds.

The offence captures a broad range of corporate criminal conduct from across the UK’s Fraud, Theft and Companies Acts, as well as the common law offence of cheating the revenue and fraud under Scots common law. It will apply where any element of the offence occurs in a UK jurisdiction regardless of whether the individual was a British citizen or was in that jurisdiction at any material time.

The new offence differs from those of failure to prevent bribery and failure to prevent the facilitation of tax evasion in significant ways. Liability for failure to prevent bribery or the facilitation of tax evasion is not limited to large organisations. In addition, the Bribery Act 2010 does not consider subsidiary companies to be associated persons of a parent company unless the subsidiary is performing services for the parent company. By contrast, for the purposes of the failing to prevent fraud offence, subsidiary companies are associated persons of their parent company. In addition, the Act expressly provides that an employee of a subsidiary company is an associated person of a parent company, which is an expansion of the meaning of an associated person from the existing offences.

An organisation will have a defence against liability for the new offence if it can prove that, at the time the fraud offence was committed, it had reasonable procedures in place to prevent a fraud offence being committed or that it was not reasonable in all the circumstances to expect it to have any prevention procedures in place. The government must publish guidance on the reasonable procedures that companies should put in place before the new offence can come into force.

Corporate criminal defence expert Tom Stocker of Pinsent Masons said: “The legislation is intended to make it easier to hold companies to account and to prosecute them for the criminal conduct of their employees, subsidiaries, agents, professional advisors and other service providers when the intended beneficiary of the act is the company. The Serious Fraud Office has been pushing for this legislation for more than 10 years.”

“The new law is, in my view, more significant than the Bribery Act because it captures a far wider range of associated persons, activities and conduct. The definition of associated persons is broader than under the Bribery Act and it will be easier for UK-headquartered companies to be held liable for the actions of their employees and subsidiaries, including overseas subsidiaries,” he said.

The Act also strengthens the ‘identification principle’ – the legal test for determining whether the criminal actions of individuals can be attributed to a company – by placing it on a statutory basis and extending those for whose actions an organisation is criminally liable from the current “directing mind and will” to “senior managers”. Under the current common law regime in place in England and Scotland, generally companies can only be found liable for the economic crimes of a person who had the status and authority to constitute the company’s “directing mind and will”. This has made conviction of a company for offences requiring proof of intentional wrongdoing or dishonesty at the directing mind level, such as fraud and other economic crime, difficult to establish evidentially in all but the smallest organisations. 

From 26 December 2023, companies and firms will be held criminally liable for actual fraud and a range of economic crimes when perpetrated by their senior managers. This is in addition to the failure to prevent fraud offence and for which there is not a reasonable procedures defence.

‘Senior manager’ in this context will include decision makers at group level and those involved in managing a substantial part of a business, such as regional or divisional directors and, conceivably in some scenarios, even project level senior management.

Stocker said: “In practice, we come across far more cases of fraud than bribery but, until now, there was limited corporate criminal risk under UK law. That has now changed and it is clear the new failure to prevent fraud offence and the significant change to the principles of corporate criminal attribution for the principal fraud offences will embolden the SFO, and I anticipate corporates will be an increasing area of focus for the SFO and other prosecutors.”

“While we await the reasonable procedures guidance, it is highly likely to adopt the existing ‘six principles’ model. It would be prudent for commercial organisations to review and either update or put in place robust fraud risk assessments, and prevention programmes covering areas such as tenders, time recording, invoicing and discounts and rebates arrangements – which are areas where we see outward fraud risks for businesses arising,” he said.

The Act also introduces a number of provisions designed to improve corporate transparency within the UK including the introduction of identity verification for all new and existing registered company directors and personal service companies, and those delivering documents to the Registrar. As these provisions require changes to Companies House systems and additional secondary legislation, they are not expected to come into force until the latter part of 2024. However, the Registrar of Companies has indicated that certain provisions of the Act, including a requirement for companies to have a registered email address, will come into force in January 2024.