Introduction
On 26 October 2023, the Economic Crime and Corporate
Transparency Act 2023 (the “Act”)1
received royal assent and became law. The Act builds on the
Economic Crime (Transparency and Enforcement) 2022 Act2, which
was introduced in light of Russia’s invasion of Ukraine, and
which we discussed in this previous alert. The Act introduces a
number of wide ranging reforms to tackle economic crime and improve
transparency over corporate entities3, including:
a new strict liability offence of failure to prevent fraud for
large corporates; and
an amendment to the identification principle to make it easier
to prosecute companies and partnerships for certain economic crime
offences.
“Our current system for holding corporations
liable for conducting crime is based on legislation that has become
antiquated. We must adapt to the challenges posed by modern
practices and sophisticated criminality. With the tabling of this
reform, we are doing just that.” Rt Hon Tom Tugendhat,
Security Minister
These two reforms form part of the UK Government’s Economic
Crime Plan 24 and Fraud Strategy5, and serve to
reinforce the importance of effective fraud risk management.
Companies should reflect on the adequacy of their fraud risk
management framework and the implications of failing to implement
“reasonable procedures” to mitigate fraud.6
The amendment of the identification principle comes into force
immediately. However, the strict liability failure to prevent
offence will only come into force after the government has
published guidance on the “reasonable procedures” defence
to the offence (see section 1 below for further detail).
Recommendations
In light of these two legislative changes, which we discuss in
more detail below, we recommend that organisations:
Review and reinforce existing risk assessments with particular
reference to relevant fraud risk;
Review and reinforce their:
policies, procedures and controls to mitigate identified fraud
risk;
whistleblowing program;
training;
third party contractual documentation;
third party (including subsidiary) oversight;
use of data analytics;
monitoring of fraud risk on an ongoing basis; and
internal audit program;
Identify “senior managers” whose acts may lead to the
organisation’s liability for certain economic crimes (see
section 2 below). Ensure that these senior managers are aware of
identified fraud risks and applicable policies and procedures;
and
Seek to create an organisational culture and governance
structure to address fraud risk.
Mayer Brown can assist with taking these steps, leveraging our
expertise and experience in conducting analogous large-scale risk
analysis exercises, as well as ensuring policies and processes are
adequate for the new requirements.
If you have questions, or would like to find out more about how
we can help, please contact Alistair Graham, Sam Eastwood, Chris
Roberts, Findley Penn-Hughes, or Hormis Kallarackel.
1. New failure to prevent fraud offence
The new offence is unusual and potentially very significant
because it is a strict liability criminal offence.
It builds on the existing offences of failure to prevent bribery
under the Bribery Act 2010 and failure to prevent the facilitation
of tax evasion under the Criminal Finances Act 2017. The new
offence will come into force only after the government has
published guidance on the “reasonable procedures” defence
to the offence (see further detail below).
The offence only applies to larger companies and partnerships
(the “organisation”) which meet at least
two of the following criteria in the financial year preceding the
year of the fraud offence:
more than 250 employees;
more than £36 million turnover; and/or
more than £18 million in aggregate assets on its balance
sheet.
The offence will also apply to organisations which are the
parent undertaking of a group which meets at least two of the
following criteria in the financial year preceding the year of the
fraud offence:
an aggregate turnover of over £36 million net (or
£43.2 million gross);
aggregate balance sheet total of over £18 million net (or
£21.6 million gross); and/or
more than 250 aggregate employees.
An organisation which meets two of these criteria is defined as
a “large organisation” under the Act and will be liable
under the new offence if it fails to prevent a specified fraud
offence where (i) an “Associated Person” of the
organisation commits the fraud; and (ii) the fraud is intended to
benefit the organisation or a person to whom services are provided
on behalf of the organisation.
“Associated Person” is defined as an employee, agent
or subsidiary of the organisation (as well as any others who
perform services for or on its behalf). This is broader than the
definition in the Bribery Act 2010, which includes a rebuttable
presumption that an employee is an Associated Person, but in
relation to agents and subsidiaries applies a test as to whether
the associated person actually performs services for or on behalf
of the organisation in the relevant circumstances.
The failure to prevent fraud offence has wide extraterritorial
effect. If an Associated Person commits fraud under UK law, or
targeting UK victims, the organisation could be prosecuted, even if
the organisation (and the Associated Person) are based
overseas.
Specified fraud offences are listed in Schedule 13 to the Act
and include fraud by false representation, fraud by abuse of
position, and fraud by failing to disclose information. The
Secretary of State is empowered to pass secondary legislation to
add or remove offences from this schedule.
The organisation will only have a defence if it can show it
either had “reasonable procedures” in place to prevent
the fraud, or that it was not reasonable for the organisation not
to have such procedures in place. The government is required under
the Act to publish guidance on what it considers to be adequate in
this regard. This is the same as happened with the strict liability
corporate offence of failure to prevent bribery, when the Bribery
Act 2010 came into force.
Comment
Organisations within scope of the new offence will need to carry
out risk assessments to re-examine their fraud detection and
prevention processes against any new statutory guidance. If that
guidance aligns with the guidance for the existing failure to
prevent bribery and facilitation of tax evasion offences, this will
include implementing:
regular risk analysis, which is kept under review;
anti-fraud policies and processes supported by appropriate
training;
financial, commercial and accounting controls; and
whistle blowing program.
Such organisations can leverage already existing policies and
procedures, such as their anti-bribery policies and procedures.
The assumption that agents and subsidiaries are assumed to be
Associated Persons means that organisations should ensure that the
same level of fraud detection and prevention processes are in place
for those entities. This does, however, present a tension for
UK-based multinational corporations, following the 2021 Supreme
Court decision in Okpabi v Shell7, which we discuss in detail
in this update:
On the one hand, by being actively involved in the
establishment and monitoring of its foreign subsidiary’s fraud
prevention program, a UK-based parent company could risk
establishing a gateway for claims relating to the activities of its
subsidiary in the foreign jurisdiction to be brought before the
English courts (rather than the local courts);
Conversely, if the parent company does not ensure that its
fraud prevention program is properly implemented by its
subsidiaries, it runs the risk of criminal prosecution under the
failure to prevent fraud offence.
Ultimately, the most effective way of addressing both sets of
risks is by having an effective group compliance program in place
which is properly implemented and audited by the parent company,
thereby reducing the likelihood of events occurring which could
give rise to either a failure to prevent fraud offence, or
large-scale group actions as in Okpabi.
2. Reform to the identification principle
The current framework for corporate criminal liability applies
the “identification principle”. This states that, where a
mental state is a required element of an offence, only the mental
state of a person representing the “directing mind and
will” of a corporate can be attributed to that corporate.8
Establishing this has proved challenging for the SFO to make out in
its prosecutions, which was highlighted in the 2018 decision in
SFO v Barclays9.
The Act addresses this through the following reforms, which
together should make it more straightforward for the SFO
successfully to prosecute corporates for economic crimes:
Corporate liability: An organisation will be
guilty of a “relevant offence” (discussed further below)
if that offence is committed by a “senior manager” of the
organisation acting within the actual or apparent scope of their
authority.
Definition of “senior manager”:
“Senior manager” is defined as an individual who plays a
significant role in either (a) the making of decisions about how
the whole or a substantial part of the activities of the
organisation are to be managed or organised, or (b) the actual
managing or organising of the whole or a substantial part of those
activities.
Definition of “relevant offence”: A
“relevant offence” is one of the offences listed at a new
schedule to the Act. This list includes bribery, tax, fraud and
false accounting offences. A “relevant offence” also
includes attempt, conspiracy, encouraging or assisting, aiding,
abetting, counselling or procuring the commission of an offence
listed in the schedule.
Geographic scope: Where no act or omission
forming part of the relevant offence takes place in the UK, an
organisation will not be guilty of an offence unless it would be
guilty of the relevant offence in the country where it was
committed.
Comment
Corporates should consider who in their organisation could fall
within the definition of “senior manager”, given that the
acts and omissions of such “senior managers” could result
in the corporate being criminally liable for any offence such
senior manager commits. Corporates should ensure that appropriate
corporate governance processes to prevent economic crime are in
place, particularly in relation to individuals who could be
considered “senior managers”. We set our recommendations
in this regard in more detail in our previous alert on this subject. In
summary, organisations should:
identify individuals who could be considered senior managers,
and provide regular training to them on prevention of the potential
offences;
conduct risk mapping exercises to identify business units with
high-risk of potential economic crime, such as procurement;
undertake regular monitoring, and imposing segregation of
duties;
maintain an independent internal audit function; and
implement a robust whistleblowing program.
The new failure to prevent fraud offence and reform of the
identification principle are potentially powerful new tools for the
new (as of September 2023) Director of the SFO, Nick Ephgrave. We
will continue to monitor and publish further alerts on the
government’s ongoing efforts to enhance the SFO’s ability
to prosecute economic crimes, such as the new independent review
into how the disclosure regime is working in a digital age and
whether the current fraud offences are fit for the purpose of
investigating and prosecuting modern fraud.10
Footnotes
1 Link
to the Act
2 https://www.legislation.gov.uk/ukpga/2022/10/contents/enacted
3 These include registration
and transparency requirements to limit the risk of limited
partnerships being used for illicit activities; enhanced powers for
Companies House in relation to company filings that appear to be
erroneous, anomalous or suspicious (more detail in the Companies House publication); and broadened
criminal confiscation powers to include cryptoassets.
4 https://www.gov.uk/government/publications/economic-crime-plan-2023-to-2026
5 https://www.gov.uk/government/publications/fraud-strategy
6 https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/factsheet-failure-to-prevent-fraud-offence
7 Okpabi and others (Appellants) v Royal Dutch Shell
Plc and another (Respondents) [2021] USKC 3
8 Tesco Supermarkets Ltd v Nattrass [1971]
UKHL 1.
9 The
Serious Fraud Office v Barclays Plc & Anr [2018] EWHC
3055 (QB)
10 https://www.gov.uk/government/collections/independent-review-of-disclosure-and-fraud-offences
Visit us at
mayerbrown.com
Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights
reserved.
This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.