The recent passage of the Economic Crime and Corporate Transparency Act 2023 marked a significant moment in the UK government’s commitment to improving its economic crime legislative framework with the aim to deter and further prevent economic crime. Among the key measures, the new ‘failure to prevent fraud’ offence, introducing liability for fraud committed by organisations’ ‘associated persons,’ will have an important impact on organisations and their existing fraud prevention measures.
The Economic Crime and Corporate Transparency Act 2023 (the Act) received Royal Assent on 26 October 2023. While the Act is now law, not all changes will take effect immediately and are to be rolled out gradually under a government implementation timetable. An official date has not yet been announced for when all measures of the new act will be in force, but the government has indicated that it will be in early 2024.[1]
The Act has introduced several key measures designed to encourage and improve corporate transparency and tackle economic crime in the UK. According to the UK government, fraud is the most commonly experienced crime, accounting for more than 40% of crime in England and Wales.
The Act has introduced a new ‘failure to prevent fraud’ offence, which makes for the third strict liability corporate criminal offence in the UK, following the ‘failure to prevent bribery’ under the Bribery Act 2010[2] and the ‘failure to prevent tax evasion’ under the Criminal Finances Act 2017.[3]
This Lawflash considers the new ‘failure to prevent fraud’ offence and what it means for businesses.[4] The recent Head of the UK’s Serious Fraud Office, Director Lisa Osofsky, called the new offence a “game changer for law enforcement.”[5] The introduction of this offence is significant due to its breadth, including its introduction of liability for certain organisations for fraud committed by their ‘associates.’
This new offence will make organisations criminally liable if the organisation has failed to prevent fraud by an associated person and the fraud committed by the associated person is intended to benefit the organisation (or a person to whom services are provided on behalf of the organisation).
It will be a defence for a company to demonstrate that it had ‘reasonable procedures’ in place to prevent the fraud. The UK government will publish guidance on this offence and what is meant by ‘reasonable procedures’ before the provision comes into force.
The offence will apply to large companies (and their subsidiaries) as well as to partnerships. Additionally, large not-for-profit organisations, i.e. charities and incorporated public bodies, will fall within scope. The offence will apply across all sectors.
Two of the three criteria below must be met for the ‘failure to prevent fraud’ offence to apply to an organisation:
The offence will also apply to parent companies of a group which meets at least two of the following criteria in the final year preceding the year in which the offence is committed:
The in-scope fraud offences, listed below, are numerous and, as can be seen, are the types of fraud which can commonly occur in large companies and organisations:
Companies will be held liable where an ‘associated person’ of a large company/partnership commits one of the aforementioned fraud offences. The meaning of ‘associated person’ is broad and will include
Liability can be attached to a parent company where a fraud offence was committed by a subsidiary’s employee, for the benefit of the parent company, and the parent company did not take ‘reasonable’ steps to prevent it.
Courts will consider the full circumstances on a case-specific basis; ultimately, however, an organisation can carry an unlimited fine if it is convicted of this offence. The non-financial ramifications for a fraud conviction could also include significant reputational and brand damage.
While the Act itself is silent on the extra-territorial jurisdictional reach of the new offence, the government’s factsheet states that ‘if an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.’[6]
An interpretation of this could be that where a large company based outside of the UK has an employee who commits a fraud offence under UK law or targets UK victims for the company’s benefit, that company may be liable under the ‘failure to prevent fraud’ offence.
The Act provides a defence to the ‘failure to prevent fraud’ offence if an organisation can demonstrate that it had ‘reasonable procedures’ in place to prevent fraud.
The UK government will publish guidance with more information about what constitutes ‘reasonable procedures’ before the new offence comes into force. Once released, this guidance should help companies navigate whether their current fraud prevention mechanisms are sufficient or whether they require enhancement.
While the importance of having strong fraud prevention procedures in place will not be news for large organisations in the UK, now would be an appropriate time for organisations to revisit their existing fraud prevention measures and enhance them where required. Of course, many large organisations will already have implemented financial crime control frameworks and procedures to deter and prevent fraud.
This is due in large part to the UK Bribery Act coming into force on 1 July 2011, introducing an offence of ‘failure to prevent’ bribery. An available defence for a corporate would be that it had ‘adequate procedures’ to prevent bribery. At that time, the government issued guidance on what was meant by ‘adequate procedures,’ which was modelled around a risk-based approach to compliance featuring six key principles.
These principles are not intended to be prescriptive and should be adapted depending on the organisation, its size, services provided, etc., and ultimately the procedures that an organisation adopts should be appropriate and proportionate to the unique risks facing each organisation.
These six principles are as follows:
The government has not yet issued guidance on what constitutes ‘reasonable procedures’ in the context of the new ‘failure to prevent fraud’ offence, but a good starting point for organisations will be to ensure that they adopt a risk-based approach modelled on the principles above. There are several steps that organisations can take to drive positive corporate behaviours and enhance their fraud prevention measures, some of which are described below.
Tone From the Top Leadership
In order to establish a strong anti-fraud culture within an organisation, there should be C-level commitment to fostering a zero tolerance attitude towards fraud culture. As a starting point, this might include a member of a company’s Executive team distributing emails/videos across the company’s communication channels to all employees/agents about fraud risks/red flags and information about how to report suspected fraud and where to find the relevant fraud policies and procedures.
Optically, when this type of messaging is coming from the executive level, it signals a company’s attempts at developing a zero tolerance policy towards fraud culture and can be helpful in encouraging positive employee behaviours.
Fraud Risk Ownership and Key Business Unit Stakeholders
Key stakeholders who are responsible for managing specific business units (e.g. those leading finance, compliance and/or internal audit functions) would be wise to collectively revisit their current fraud risk assessment and identify how the ‘in-scope’ offences listed herein might relate to their own specific business unit operations and activities and ensure that ownership regarding specific fraud risk is made clear from a governance perspective (and their assessment is documented).
Those who manage finance and/or internal audit functions and, in turn, are responsible for individuals who may be involved in company financial reporting should receive internal training on the new offence. This is particularly relevant in the context of ESG fraud, which can include where a company and/or those who represent a company misreport or misrepresent a company’s performance in relation to its ESG activities, for example, in order to meet performance goals or financial targets.
If a company profits as a result of fraudulent financial misreporting, the company could potentially be caught by one of the ‘in-scope’ fraud offences. As such, to mitigate this type of situation arising, a company’s fraud risk assessment should identify the relevant stakeholders responsible for each high-risk business area that could be susceptible to an ‘in-scope’ fraud offence and ensure that fraud systems and controls are updated, refresher training is provided and enhanced procedures are implemented where required.
Depending on the size of the organisation, it may be helpful for management to develop a working group for fraud risk owners to work collaboratively to discuss and identify new and emerging fraud risks, including those unique characteristics relevant to the ‘in-scope’ fraud offences, and the techniques used to commit new types of fraud such as cyber-crime.
A working group could be helpful in encouraging a cross-exchange of information between different business units/functions, i.e. finance, audit, legal and compliance, so that red flags are identified at an early stage.
Anti-Fraud Policies and Procedures
A company’s fraud, anti-bribery and corruption; environmental, social and governance (ESG); third-party supplier; and modern slavery policies and procedures should be updated to reflect the behaviour/conduct that an organisation expects of its employees, agents, and third-party suppliers when it comes to upholding an anti-fraud culture, including the individual and corporate consequences of not upholding such policies.
Policies and procedures should also include appropriate guidance about the penalties for non-compliance, including potential employee/agent employment termination in the event that an employee/associated person is found to have committed a UK fraud offence.
Policies and procedures should be user-friendly and styled in plain English (and available in other languages if required). The format should be easily understood by all employees, irrespective of their level of seniority within an organisation. Copies should be accessible to all users on the company’s online portal/intranet, as well as in hard-copy, and be maintained by a relevant contact person in the compliance/in-house legal division.
Training
Mandatory training about fraud, the specific relevant UK fraud offences and why they are relevant in the context of the organisation’s specific operations and services should be rolled out as a ‘refresher session’ to all employees (irrespective of seniority). Records should be kept and maintained for all those in attendance. There should be appropriate consequences in the event of non-attendance at mandatory trainings.
Training should be user-friendly and be provided either in person or via an elearning platform, where participants are tested on their knowledge by way of quizzes/tests at the end of the training session which require a mandatory pass mark.
Companies should also consider their relationship with third parties/all those who provide services on behalf of their organisation and determine the best way to ensure all those involved in its supplier chains have strong policies and procedures and training in place to prevent and mitigate against fraud.
Company-Wide Fraud Risk Assessment
A company-wide fraud risk assessment should be held at least annually to evaluate the specific internal and external fraud risks that may impact the organisation. This assessment should also include group subsidiaries (if any) and any specific external/internal fraud risks unique to those subsidiaries. The steps taken to mitigate the external and internal risks should be well documented, and those responsible for ‘owning’ fraud risk within each business unit/function should be clearly identified to promote accountability and support a robust risk governance structure.
The company-wide fraud risk assessment should be reviewed on a periodic basis to include any new risks.
Third-Party Suppliers
When onboarding third-party suppliers and entering into third-party contracts, it is of paramount importance that organisations engage in considered due diligence to ensure that the parties it contracts with share the same commitment/values to upholding an anti-fraud culture and that they have appropriate policies, procedures, systems and controls in place to mitigate against the risk of fraud. Ultimately, whomever an organisation decides to contract with should feel comfortable that the third party is behaving in a manner consistent with its own organisation when it comes to fraud prevention.
When entering into third-party contracts, those contracts should be carefully drafted to set out the rights and responsibilities of the organisation, including the organisation’s audit and review rights of the third-party supplier and the ability for the organisation to request information on a periodic basis.
Now would be the time to ensure that third-party audit teams conduct a thorough assessment of an organisation’s third-party vendors, which review could include examining third-party vendor contracts and confirming the level of inspection rights afforded to the business to enquire and inspecting the books, records and premises of those who perform services for or on its behalf.
An assessment of which vendors pose the highest risk for the business should be conducted, and those assigned with a ‘high risk’ status could be subject to enhanced audit/inspection rights. If in the course of the third-party vendor risk assessment certain vendors are found to no longer remain within the organisation’s fraud risk appetite, the business should consider whether to exit those relationships.
Speak-Up Channel
There should be an appropriate way in which employees/agents/third parties can report fraud or suspected fraud in a safe and controlled manner without fear of organisational retaliation.
Many large organisations have a dedicated ‘Speak Up’ channel through which employees can report any concerns to the business in a confidential manner. Providing employees with a secure avenue to raise their concerns can provide employees with confidence and reassurance and certainly demonstrates a company’s attempts at establishing a zero-tolerance towards fraud culture.
Organisations that take the appropriate steps to ensure that they have developed a strong anti-fraud culture and a framework designed to prevent and mitigate against fraud will put themselves in the best position to mount a defence before the court that they had ‘reasonable procedures’ in place in the event that an ‘associated person’ linked to their organisation commits a fraud offence under UK law that was intended to benefit the organisation, or any person to whom the ‘associated person’ provides services on behalf of the organisation.
They should be sure to keep records of those steps to be able to establish that defence should that ever prove to be necessary.
Morgan Lewis develops corporate compliance and ethics programs for clients’ business needs that align with global regulator and law enforcement specifications, working lockstep with clients’ risk profiles, cultures, organizational structures, systems, and processes. For additional guidance, learn more about our corporate ethics and compliance practice.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] Companies House, Changes to UK company law: a big moment for Companies House (26 Oct. 2023).
[2] Section 7, Bribery Act 2010.
[3] Part 3, Criminal Finances Act 2017.
[4] See Section 199, Economic Crime and Corporate Transparency Act 2023.
[5] Home Office, New crackdown on fraud introduced by the Home Office (11 Apr. 2023).
[6] Factsheet: failure to prevent fraud offence (11 April 2023).