by Karolos Seeger, Aisling Cowell, and Andrew Lee

Following confirmation by the UK Government earlier this year that it intended to create a new ‘failure to prevent’ corporate criminal offence, it has now published the much-anticipated draft wording of a failure to prevent fraud offence. This will form part of the Economic Crime and Corporate Transparency Bill (the “ECCT Bill”), which is currently being debated by the House of Lords. Once enacted, the ECCT Bill will be the most important law tackling economic crime since the Bribery Act 2010.[1] It is also the culmination of a long debate about the reform of corporate criminal liability, including a review by the Law Commission completed last year.[2]

What are the key features of the offence?

An organisation will be liable under the new offence (as currently drafted) where:

• It is a “large organisation”
  • A large organisation is a company or partnership that meets at least two of these three criteria: over 250 employees, over £36 million turnover, or over £18 million in total assets
• An “associate” of the organisation commits a specified fraud offence; and
  • Associates include employees, agents, subsidiaries and any others who perform services for or on behalf of the organisation
  • Notable specified offences include fraud by false representation, failing to disclose information or abuse of position (all under the Fraud Act 2006), false accounting and false statements by company directors (both under the Theft Act 1968), and the common law offence of cheating the public revenue—including aiding or abetting any of these offences
• The associate intended to benefit (directly or indirectly) either the organisation or a third party to which the organisation is providing services
  • In the latter scenario, the organisation will not be liable where it was a victim of the fraud or was intended to be a victim
• Unless the organisation had implemented reasonable procedures designed to prevent associates from committing fraud.

Some other significant aspects of the offence are:

• It will have considerable extraterritorial application, based on the extraterritorial effect of many of the specified fraud offences. For example, if an associate commits any element of a relevant offence under the Fraud Act 2006 in the UK (such as by making a false statement in the UK or by making a gain in the UK through defrauding UK victims), the organisation could be liable, even if the rest of the conduct occurred overseas and both the organisation and the associate are based overseas.
• A conviction may result in an unlimited fine for the organisation.
• Organisations will be able to enter into deferred prosecution agreements (“DPAs”) with the UK authorities in relation to alleged violations.
• Although the government has ruled out a similar money laundering offence, the draft law explicitly permits the Home Secretary to make regulations adding an offence of failure to prevent money laundering under sections 327-329 of the Proceeds of Crime Act 2002, as well as other economic crimes involving dishonesty or fraud.

What are the aims of the offence?

This new offence responds to growing public pressure on the government in recent years to take more serious steps to combat fraud. While estimates of the financial cost of fraud in the UK vary widely, figures of well over £100 billion per year have been calculated. The government states that fraud is the most common offence in the UK, amounting to 41% of all crime in the year to September 2022.

The Director of the Serious Fraud Office (“SFO”) has described the offence as a “game-changer for law enforcement”, making it significantly easier to hold companies to account when they profit from fraud. The SFO has long campaigned for a failure to prevent fraud offence to help overcome the high hurdle presented by the UK’s prevalent “directing mind and will” test for attributing the criminal conduct and state of mind of an employee to their employing company. Notably, in the SFO’s failed prosecution of Barclays for conspiracy to commit fraud by false representation through allegedly misleading statements in its prospectuses and subscription agreements for capital raisings involving Qatari investors, the Court of Appeal found in 2020 that in the circumstances of that case, even the bank’s chief executive and chief financial officer did not represent its directing mind and will. If a failure to prevent offence had been available previously, the SFO could have chosen to use it as a more straightforward basis for the DPAs that it entered into with Tesco, G4S and Serco, instead of the primary fraud and false accounting offences under the Fraud Act 2006 and Theft Act 1968.

While the enforcement potential of these reforms is important, a factsheet and an impact assessment published by the government explain that it does not actually expect a significant increase in prosecutions. Instead, the primary purpose of the offence is to deter wrongdoing and drive a cultural change within organisations to focus on taking actions that protect the public and other businesses from a range of fraudulent practices.

How does it compare to the other ‘failure to prevent’ offences?

Fundamentally, the new offence is very similar to the existing failure to prevent bribery and failure to prevent the facilitation of tax evasion offences. It is a strict liability offence, with no requirement to prove that the company’s senior management was involved in, or even knew about, the misconduct. However, the new offence includes some important differences in each of its key elements:

• Large organisation. The focus is on large organisations, adopting the criteria for large companies in the Companies Act 2006. Approximately 25,000 UK entities will be in scope (there is no estimate of the number of large overseas organisations that could potentially be affected). Despite the likely greater fraud risks posed by the much higher number of small and medium-sized enterprises, these businesses will be left to the existing legal framework, as the government believes that bringing them within the scope of the new offence would impose a disproportionate compliance burden. However, this exemption has caused considerable controversy and it is possible that it may be removed or amended before the ECCT Bill is passed (or at a later date).
• Associate. Unlike the failure to prevent bribery offence, where the primary test as to whether someone is an associated person is whether they perform services for or on behalf of the company in the relevant circumstances (which may – but does not necessarily – include an employee, agent or subsidiary), the new offence assumes an employee, agent or subsidiary to be an associate of the company (as well as any others who perform services for or on its behalf). This places an even greater onus on large companies to ensure that their subsidiaries implement group-wide anti-fraud procedures.
• Benefit. Although the concept that the associate’s fraud must be intended to benefit the company (not just the associate personally) is familiar, the new offence widens this to capture a situation where the associate intends to benefit a third party that has engaged the company, rather than the company itself. In such situations, there may also be an intended indirect benefit to the company in any event. However, fraud (unlike bribery) is often perpetrated by individuals for purely personal gain, in which case their employer will not liable, reducing the potential application of the new offence.
• Reasonable procedures. Like the tax evasion corporate offence, there is a defence of “reasonable” prevention procedures, which is considered to place a lower compliance burden on companies than the “adequate” procedures language in the Bribery Act.
• Extraterritorial scope. While the failure to prevent bribery offence in the Bribery Act requires the company to be incorporated in the UK or carry on business (or part of a business in the UK), the new offence has a very different and potentially broader jurisdictional reach, depending on the nature of the underlying fraud offence. Both large UK companies and large foreign companies with some UK operations or a small UK subsidiary could be in scope. Even a foreign company that has no UK connections could be captured if, for example, an employee makes false statements that lead someone in the UK to buy a product from the company. However, unlike the Bribery Act, a UK company cannot be prosecuted for failing to prevent fraud occurring entirely overseas without any UK victims.

What impact could this have and what should companies be thinking about?

The new offence will not come into force until the ECCT Bill has been enacted and the government has published guidance on what constitutes reasonable fraud prevention procedures. Based on previous experience, that process is likely to take at least a year. However, given the extremely wide and flexible nature of the offence, it is advisable for large UK and overseas companies to start thinking now about how they might be affected and how they should respond.

A company’s exposure to bribery and facilitation of tax evasion are usually relatively straightforward to explain, identify and assess, but the enormously varied nature of fraudulent activity means that each company, and particularly each industry, will face unique issues. Companies will need to review fraud risks across their entire operations, including in relation to customers, suppliers, business partners, employees, agents and investors.

For businesses such as financial services firms that deal with high volumes of payment flows, existing anti-fraud systems may require enhancement. Technology companies may need to think carefully about how their platforms might be misused to defraud customers or users. Companies that deal with the public sector or large numbers of individuals should also be especially alert to the new offence, due to the higher risk of fraud and likely pressure for such fraud to be prosecuted.

For many companies, we expect that there will be considerable difficulty and complexity involved in designing and implementing an effective package of fraud prevention measures. Large companies are generally unlikely to be the perpetrators of fraudulent schemes for their own gain, but rather the victims of fraud. Having prescriptive prevention procedures for a concept as broad and amorphous as fraud will inherently be very challenging. Furthermore, the task for affected companies is magnified by the number of other primary offences that have been prescribed in the draft law and therefore need to be addressed, not all of which are closely related to fraud.

As a result, formulating comprehensive but user-friendly policies and procedures, and then delivering tailored training programmes to employees, is likely to be a major compliance project. As with anti-bribery procedures, robust due diligence on third parties, monitoring and audit processes will be important. Large companies should consider focusing their analysis on potential fraud against investors and customers, and in particular on procedures to avoid making misleading statements to either group or presenting inaccurate financial reports.

The government’s March 2023 economic crime plan includes £400 million over the next three years to provide funding for 475 more investigations staff and improved technology and intelligence sharing to combat fraud and other financial crime. This should generate more cases for the SFO and other agencies to investigate and prosecute, although no additional funds have been allocated for this purpose, so it is unclear whether the new offence will lead to a significant upturn in enforcement activity. Another possibility is that the new offence will encourage fraud victims to bring private prosecutions against companies to recover compensation, especially where a group of people has been defrauded by similar conduct.

Footnotes

[1]       The ECCT Bill follows the Economic Crime (Transparency and Enforcement) Act 2022, which we covered here: https://www.debevoise.com/insights/publications/2022/03/uk-economic-crime-act-strengthens

[2]       Our summary of the options paper published by the Law Commission in June 2022 is here: https://www.debevoise.com/insights/publications/2022/06/fcpa-update-june-2022

Karolos Seeger, is a Partner and Aisling Cowell and Andrew Lee are Associates at Debevoise & Plimpton LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).