Out-Law Guide 13 min. read
08 Dec 2023, 2:07 pm
The UK’s Economic Crime and Corporate Transparency Act 2023 (the Act) has reformed the law of corporate criminal attribution for a wide range of economic crimes and introduced a new offence of corporate failure to prevent economic crimes.
The objective of these reforms is to make it easier to prosecute companies for fraudulent activities and economic crimes committed by their managers, employees, subsidiaries, and service providers. This guide provides a summary of the reforms and their significance.
A new “reasonable procedures” defence is applicable to the failure to prevent offence. This guide provides a methodology and template for conducting a risk assessment as part of the steps to develop a reasonable procedures defence.
From 26 December 2023, organisations will commit fraud and other economic crimes if any “senior manager” commits those crimes in the discharge of their role or in the course of their work.
Senior managers are individuals who play a significant role in: the making of decisions about how the whole or a substantial part of the activities of an organisation are managed or organised; or the actual managing or organising of the whole or a substantial part of those activities. The definition is sufficiently wide to extend to regional directors and even project managers depending on the size and importance of a project to the organisation.
The threshold for corporate criminal attribution is lowered for offences under a number of statutes, notably the: Theft Act 1968; Fraud Act 2006; Bribery Act 2010; Customs and Excise Management Act 1979; Forgery and Counterfeiting Act 1981; Value Added Tax Act 1994; Financial Services and Markets Act 2000; Financial Services Act 2012; Sanctions and Anti-Money Laundering Act 2018, in respect of money laundering and terrorist financing; international sanctions regulations; and the Proceeds of Crime Act 2002.
This legal reform is in addition to the failure to prevent fraud offence that has been introduced and applies to all body corporates, partnerships and similar organisational structures.
Organisations are significantly more exposed to committing primary economic crime offences than they were. The previous law of corporate criminal attribution only extended corporate criminal liability for fraud, theft, bribery and other offences, which required dishonest intent, to the actions of the “directing will and mind” of the organisation. In practice, this was often limited to the managing director or majority owner when they were also involved in the running of the company.
For example, under the Bribery Act 2010, the involvement in bribery of an overseas project manager would previously have given rise to the risk of corporate criminal liability for the secondary offence of failing to prevent bribery (section 7), for which there is a statutory defence of having in place adequate procedures and to which mandatory debarment does not apply, but not liability under section 1 of the Bribery Act 2010 (giving a bribe).
From 26 December 2023, the organisation which employed the project manager is at an increased risk of the primary offence of actual bribery contrary to section 1 of the Bribery Act 2010, for which there is no adequate procedures defence and to which mandatory debarment is applicable. There is also an increased risk of corporate liability where a senior manager receives a bribe contrary to section 2 of the Bribery Act 2010.
While there is not a reasonable procedures defence available, risk assessing the increased risks of corporate criminal liability from this reform, with the aim of enhancing preventative measures, is recommended.
The new UK corporate criminal offence of failure to prevent economic crimes, including but not limited to fraud, will make “large” body corporates and partnerships criminally liable for the acts of a person associated with them who commits an economic crime for the organisation’s benefit or for the benefit of any person to whom the associated person provides services on behalf of the organisation – for example, a customer.
Associated persons include employees, agents, subsidiaries, or any other person performing services ‘for or on behalf’ of the organisation. This definition could extend to suppliers when they provide ancillary services, agents, distributors, advisers, brokers, contractors, consultants, and joint venture partners.
For corporate criminal liability to apply in this context, the associated person must have intended to benefit either: the organisation for which they are working or providing services for and on behalf of; or another group company, a customer or client of the organisation who the associated person provides services to on behalf of their employing organisation.
In addition, a parent company is criminally liable for failing to prevent an economic crime by an employee of a subsidiary company where the fraudulent act was intended to benefit the parent company. However, liability is not triggered where the organisation is the intended victim of the associated person’s conduct.
The failure to prevent economic crimes offence applies to all UK-incorporated bodies or foreign-incorporated bodies that carry on a business or part of a business in the UK, subject to them meeting two or more of the following thresholds either individually or, with respect to parent companies, where the subsidiaries in aggregate meet the statutory thresholds: a turnover of more than £36m; a balance sheet total of more than £18m; and/or more than 250 employees.
Unlike the Bribery Act 2010 and the Criminal Finances Act 2017, extra-territoriality is not specifically provided for. However, the Criminal Justice Act 1993 had already extended UK jurisdiction for fraud and other economic crimes to where a “relevant event” occurred in the UK, including, for example, causing gain or a loss to another in the UK. The UK government’s factsheet on the failure to prevent fraud offence gives the following example: “If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”
The failure to prevent offence does not apply as broadly as the reform to corporate criminal attribution but it still far reaching in is application because it applies to the following economic crimes:
The UK’s corporate criminal failure to prevent offence model extends significantly beyond bribery and the facilitation of tax evasion to a broad range of economic crimes. Parent company liability is also significantly greater than under the Bribery Act 2010.These reforms have resulted, in part, from lobbying by the UK Serious Fraud Office. It is likely that corporate criminal enforcement will be an increased area of focus.
It will be a defence to the failure to prevent economic crimes offence if the organisation can prove that it had reasonable prevention procedures in place, or that it was not reasonable in all the circumstances to expect it to have had any procedures in place. The offence will come into force when the UK government publishes statutory guidance on the reasonable procedures organisations should consider putting in place.
The six principles are:
The failure to prevent offence may come into force on publication of the guidance or shortly thereafter.
The six principles are well known but need to be adapted in their application to this new wide-ranging offence.
There are no compliance duties under the failure to prevent economic crimes offence, but many organisations will wish to be in position to avail themselves of the reasonable procedures defence. This will lead to contractually imposed warranties down supply chains requiring organisations to have in place reasonable fraud and economic crime prevention procedures.
It is therefore recommended that organisations have a reasonable procedures project plan. There are three stages to such a plan.
Top level commitment: 'top level commitment' will likely be a key principle of the reasonable procedures defence. The instigation of a project to develop reasonable procedures should have board or relevant committee/senior manager support with appropriate resources allocated to the exercise and any risk assessment and recommendations being reviewed and approved at a high level within the organisation. Meeting minutes should be kept, recording the board/committee approval and support of the project.
Forming a project team: depending on the size and structure of the business, to manage the project effectively, establishing an internal project delivery team will be helpful. For larger businesses, the team may comprise compliance, financial crime, and legal representatives. External legal or professional support is recommended to bring expertise and outside perspective to the exercise. Organisations may also wish to consider the application of legal privilege to the risk assessment exercise to protect sensitive findings from disclosure – this would require the taking of legal advice before commencing the review work.
Training for the project team: understanding the underlying offences to which the new laws apply will be informative to the review work. The project delivery team should receive training on the corporate criminal attribution reforms and the new failure to prevent economic crimes offence and the predicate, underlying, offences prior to commencing the review work.
Project plan: a project plan should be developed which will determine the scope of the review – for example, whether group wide or limited to specific subsidiaries or divisions, geographies, or key projects – , as well as the timeline, and budget for the project. It would be reasonable for businesses to start by conducting an overarching group level review before conducting deeper dives at a business unit or country level.
Having a documented risk assessment is likely to be a key pillar of the reasonable procedures defence. The focus of the risk assessment is the risk of associated persons of the organisation engaging in the prescribed economic crimes to benefit the organisation, the group, or its customers, rather than the risk of internal fraud against the organisation.
Planning and execution: the risk assessment needs to identify where the risks might exist – the inherent risk – and what existing controls are in place. The existing controls should operate to manage and reduce the level of inherent risk, enabling the business to identify the residual risk. This will allow a decision to be taken on whether enhanced controls are required to reduce the residual risk further.
Existing risk assessments and reviews: a starting point for a risk assessment is to consider what other relevant risk assessments are already in place for the failure to prevent the anti-facilitation of tax evasion, failure to prevent bribery offences, money laundering and modern slavery. These risk assessments are likely to contain useful content for informing a broader economic crime risk assessment. Businesses may also have reports and data on other reviews relating to tendering, contracting, and the effectiveness of financial controls which are likely to be informative.
Internal audit reports/past compliance review: internal audit reports and previous compliance reviews are often a useful source of information to collate and review when considering the effectiveness of the control environment. A point to check is whether findings and recommendations were followed through.
Whistleblowing/speak up reports/disciplinary investigations: reviewing any past reports of suspected or alleged fraud, theft or other economic crimes would also be helpful. This information will be found in past disciplinary investigations and whistleblowing management information.
Workshops: workshops with relevant personnel to identify how economic crimes to benefit the business, the group or its customers could materialise is recommended. Relevant personnel are likely to include:
The risk assessment will inform the procedures that are reasonable for the business to put in place. Many organisations will already have procedures in place for risk areas which are likely to be capable of being extended to address wider economic crime risks.
A reasonable procedures framework should be developed, proportionate to perceived risk. It might include: