Introduction

The Economic Crime and Corporate Transparency Act (“the Act”) received Royal Assent on 26 October 2023. It introduces two significant changes to the law on corporate criminal liability, substantially broadening the ways in which certain corporate entities can be held responsible for crimes committed by individuals. The changes are:

• A new rule of attribution where, if a “senior manager” commits a listed offence, the corporate is also guilty of that offence.
• A new offence of failure to prevent fraud: a strict liability criminal offence for large organisations where there has been a failure to prevent certain “fraud offences” being committed by its associated persons.

The Catalyst for Change

The long-held perception by some, including prosecutors, is that corporate entities, particularly large organisations, have been “getting away with it”. Many argued that the English law on corporate criminal liability was outdated and made it difficult to hold large companies to account. In the government’s own risk assessment, the English law on corporate criminal liability was “not fit for purpose”. How this should be addressed proved to be a contentious issue.

Under English law, the default method for attributing criminal liability to legal entities is through the “identification principle” (“ID principle”). In broad terms, this means that a corporate body is only criminally liable for offences of one or more individuals who represent its “directing mind and will” and who had the requisite mental state. This person must be of sufficient seniority such that he or she embodies the corporate itself. It is argued that in the modern world, where corporate bodies have complex structures, it is very difficult, if not impossible, to identify such a person. This had the effect of making it very difficult to prosecute larger corporations and easier to target smaller outfits.

The Law Commission, an independent body, was asked to review the law in this area and provide options for reform. In June 2022, it published its options paper and, by September, the Economic Crime and Corporate Transparency Bill had its first reading in Parliament. The changes to corporate criminal liability, despite their significance, are found in the Miscellaneous provisions in Part 5 of the Act.

THE CHANGES

The New Rule of Attribution

Section 196 of the Act creates an alternative to the ID principle for certain bodies and in relation to specified “economic crimes”. The provision is due to come into force on 26 December 2023. Under section 196, where a “senior manager” acting within the actual or apparent scope of their authority commits a “relevant offence”, the organisation is also guilty of the offence. This rule of attribution applies to all bodies corporate wherever they are incorporated, but does not include a corporation sole, or a partnership which is not regarded as a body corporate under the law by which it is governed.

Schedule 12 to the Act sets out the list of economic crimes to which the new rule of attribution will apply. It is extensive, and offences may be added or removed by Regulation. It currently includes offences such as: fraud, offences under the Theft Act including false accounting and theft, fraudulent evasion of VAT, offences under the Financial Services and Markets Act 2000, money laundering offences, fraudulent trading, bribery offences, offences under the Financial Services Act 2012, and sanctions-related offences.

What is a Senior Manager?

A senior manager is an individual who plays a significant role in:

1. The making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised; or
2. The actual managing or organising of the whole or a substantial part of those activities.

There is no statutory defence for affected bodies. Disputes may arise on the questions of whether a person is in fact a senior manager and whether that person was acting within the actual or apparent scope of their authority.

It must be remembered that the legislative aim of this provision is to make it easier to attribute criminal conduct to corporate entities. Parliament has redrawn the line and decided that offences committed by a “senior manager” (something less than the company’s “directing mind and will”) should be treated as an offence committed by the entity itself. As a result, it will undoubtedly become easier for a corporate entity to be held directly liable for criminal conduct of its senior managers.

Territoriality

Under section 196(3), a company based and operating overseas is not guilty of an offence by means of the new rule of attribution if the conduct of the senior manager concerned was carried out wholly overseas. This takes into consideration the fact that the list of offences in Schedule 12 includes offences for which the U.K. claims extra-territorial jurisdiction.

New Offence of Failure to Prevent Fraud

The second major change, and the one that is expected to increase the compliance burden, is the introduction of a new strict liability corporate offence of failure to prevent fraud. Liability based on a failure to prevent substantive offences being committed by others was first introduced under the Bribery Act 2010 (“Bribery Act”) in the offence of failure to prevent bribery, and then under the Criminal Finances Act 2017 (“CFA”) for the offence of failure to prevent the facilitation of tax evasion. This form of corporate liability has proven to be popular, and although there have yet to be any prosecutions under the CFA, the Bribery Act has been more fruitful, principally in the form of deferred prosecution agreements (“DPAs”). Many of the concepts introduced by the Bribery Act and the CFA reappear in the Act, such as the “associated person”.

The delay to the Act receiving Royal Assent is for the most part because of a dispute between the House of Commons and the House of Lords on the scope of the new failure to prevent fraud offence. Why was this so contentious? The government recognised that the new failure to prevent fraud offence brought with it a significantly increased compliance burden for entities within its scope. For this reason, the government decided that it should only apply to “large organisations”. The House of Lords disagreed and the parliamentary back-and-forth began. Ultimately, the government won.

The new offence is not yet in force and will not come into force until statutory guidance is published. As a result, it is expected that it will not come into force for several months, if not a year.

Under the Act, the offence of failure to prevent fraud is committed where:

1. an “associate” of a relevant body (i.e., a large organisation) commits a “fraud offence”;
2. the fraud offence was intended to benefit (directly or indirectly) either:

1. the relevant body; or
2. any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.

In scenario (b) above, no offence is committed where the relevant body was intended to be a victim of the fraud. This exception does not apply where the fraud offence was intended to benefit the relevant body itself.

The list of fraud offences is set out in Schedule 13 to the Act and is relatively short. It includes cheating the public revenue, fraud, fraudulent trading, and false accounting. The list may be amended by Regulation to add or remove other offences.

Statutory Defence

Similar to the Bribery Act and the CFA, the Act provides a statutory defence. It is a defence for a relevant body to show:

1. it had in place reasonable prevention procedures, or
2. it was not reasonable in all the circumstances to expect the body to have prevention procedures in place.

Parliament appears deliberately to have avoided the use of ‘adequate procedures’ as appears in the Bribery Act. A view was taken that ‘reasonable prevention procedures’ provided a lower threshold and provided greater clarity than adequate procedures. From a practical perspective, this may be a distinction without a difference.

What is a Large Organisation

The new offence only applies to a “relevant body”, i.e., a “large organisation”. A relevant body is any body corporate or partnership, wherever incorporated or formed. The definition of “large organisation” mirrors the definition in the Companies Act 2006 and means any organisation that meets two out of three of the following criteria:

• Turnover: more than £36 million;
• Balance sheet total: more than £18 million;
• Number of employees: more than 250.

The Act contains provisions concerning how these criteria are to be calculated. Where the relevant body is a parent undertaking, the turnover, balance sheet total, and number of employees criteria are calculated on an aggregated basis taking into account the figures for each member of the group.

Implications of the Changes

Despite the clamour for making it easier to prosecute large organisations, the government’s impact assessment makes it clear that a significant increase in prosecutions is not anticipated. Rather, it is expected that there will be an increase in the number of DPAs. This provides a financial boon for the Treasury and a potentially fraught road for corporates. The offences in Schedule 12 (economic crimes) and Schedule 13 (fraud offences) are all offences for which DPAs are available.

The inevitable increased compliance burden provided justification for the government’s decision to restrict the failure to prevent fraud offence to large organisations. It was argued that large organisations can bear the burden and it is unfair to expect smaller organisations to do so, particularly where it is in relation to large organisations where legal difficulties arise. Organisations within the scope of the new offence must approach the prevention of fraud offences much in the same way as the risk of bribery has been addressed. The increased cost of compliance will not be welcome news to those who will have to bear the cost.

The yet to be published guidance is expected to be broadly similar to that for offences under the Bribery Act and the CFA. This provides a good starting point for companies that want to get ahead and prepare for the changes. It is wise to bear in mind that the burden of establishing a defence to the failure to prevent fraud offence, is on the body itself. In order to rely on the second limb of the defence (i.e., that it was not reasonable in all the circumstances to have any prevention procedures in place) there will be an expectation that a thorough risk assessment has been carried out before that conclusion was reached.

The introduction of the new rule of attribution will not, in the government’s view, involve a significant cost to corporates—only to those who “choose to put measures in place to increase transparency and control with senior management”. In all other instances, the cost is only that of familiarisation with the new provisions.

Conclusion

The Act seeks to address what many considered was a significant obstacle in criminal enforcement against corporate bodies. In some quarters, the changes are viewed as a window-dressing solution to a non-existent problem. This is no comfort for companies that are facing an additional dimension to compliance. The new provisions on attributing criminal liability and the failure to prevent fraud offence represent what the government considers to be an appropriate way of meeting the objectives of addressing the disparity between small and large organisations, reducing the level of economic crime, and enabling the prosecution of bodies with complex ownership structures. The consequence of this is that in order to protect themselves from potential criminal liability, affected companies will have to design policies and procedures to address the particular risks involved. There is much work to do.