New UK 'failure to prevent' fraud corporate criminal offence

The UK Government is expanding the scope of corporate criminal liability in the UK to make it easier to pursue large organisations for economic crimes.

A new corporate criminal offence of failing to prevent fraud is being introduced in s199 of the Economic Crime and Corporate Transparency Act 2023. It means that prosecutors will no longer have to show that the ‘directing mind and will’ of a company were involved in the fraud.

Businesses to be made liable for fraud committed by associates

The UK Bribery Act 2010 was the first in the UK to adopt the ‘failure to prevent’ model of corporate criminal liability. It was also used as a model for two ‘failure to prevent the facilitation of tax evasion’ offences contained in the Criminal Finances Act 2017.

These ‘failure to prevent’ offences make a company criminally liable where it has failed to prevent misconduct by an associated party.  It does not matter if the company was unaware of the misconduct. The only defence is having the right type of compliance procedures in place to prevent the misconduct.

The Government is now adopting this mechanism to reform corporate criminal liability by introducing an offence of failing to prevent fraud.

The new offence will make it easier for criminal prosecutions to be brought against companies. There is also a heightened risk of prosecutions being brought against corporate entities via private prosecutions, where disgruntled victims of fraud seek redress through the criminal courts.

New offence for larger entities/groups only

The new offence catches larger companies and partnerships which meet at least two of the three following criteria:

• more than 250 employees
• more than GPB36 million turnover 
• more than GBP18m in total assets. 

In addition, the offence will apply to a parent company if the group headed by it (defined as the parent and its subsidiaries) meets, in aggregate, two or more of the criteria above.

What corporate conduct will be criminalised?

A large organisation that fails to prevent fraud by an associated person would commit an offence provided the fraud was committed with the intention of benefitting the organisation or those to whom it provides services.

The types of fraud covered are:

• Fraud by false representation, by failing to disclose information, or by abuse of position (ss2-4 Fraud Act 2006)
• Obtaining services dishonestly (s11, Fraud Act 2006)
• Participation in a fraudulent business (s9, Fraud Act 2006)
• False accounting (s17, Theft Act 1968)
• False statements by company directors (s19, Theft Act 1968)
• Fraudulent trading (s993, Companies Act 2006)
• Cheating the public revenue (common law)

By way of example, ‘cooking the books’ to make a company look healthier could be caught, as would misleading statements made during a public procurement exercise, or potentially greenwashing claims.

There had been debate on whether the failure to prevent offence should cover money laundering too, but this has not been included. On 4 September the House of Commons rejected the Lords' proposed amendment to extend the scope of the offence to include money laundering, acknowledging (as we had argued during the consultation process) that money laundering responsibilities are already dealt with in an existing regime.

Again, there is some inbuilt flexibility here which allows for further offences to be added by secondary legislation provided they are offences that involve dishonesty, are of a ‘similar character’ to the above, or are core money laundering offences. This could feel to companies like new failure to prevent offences being introduced by the back door and without proper legislative scrutiny.

In addition to the list of offences above, it also includes ‘aiding, abetting, counselling or procuring the commission of a listed offence’. This extends the company’s potential liability even further, for example, to a situation where an employee has not committed one of the offences listed above, but has assisted another person or entity who has. The company could be liable for failing to prevent the employee’s behaviour if it was done with the intention of benefitting the company or clients/customers.

A broad definition of associated person

A company will be guilty of the new offence where it fails to prevent fraud by an associated person. An associated person is defined as:

• an employee, agent or subsidiary of the relevant organisation, 
• an employee of a subsidiary, or
• a person who otherwise performs services for or on behalf of the organisation.

This is broader than under the equivalent bribery and facilitation of tax evasion failure to prevent offences.

In the bribery offence, whilst an employee is assumed to be a person that performs a service on behalf of a company and is thus an associated party, there is a carve out ‘if the contrary is shown’. There is no such carve-out in the new offence.

In the bribery and tax offences, a subsidiary can be an associated person but only where it is performing a service on behalf of the company. The offence can potentially be triggered by misconduct by any subsidiary. Parent companies would therefore likely find themselves at greater risk of liability for failure to prevent subsidiaries’ fraudulent behaviour – adding another layer of risk for parent companies which are already grappling with the implications of the UK Supreme Court’s findings that a UK-domiciled parent company may owe a duty of care towards claimants allegedly impacted by the actions of a foreign subsidiary (Okpabi and others v Royal Dutch Shell Plc and another [2021] UKSC 3 and Vedanta Resources PLC and another v Lungowe and others [2019] UKSC 20). The inclusion of employees of subsidiaries as 'associated persons' casts the net even wider for parent companies. 

In addition, the offence explicitly notes that whether a person (other than an employee, agent or subsidiary) performs services for or on behalf of a relevant body is to be determined by the relevant circumstances, and not by reference to the nature of the relationship. As with the bribery and tax offences, this means a company can be liable for misconduct by, eg self-employed or contracted agency workers alongside permanent employees.

The ‘benefit requirement’

The offence only bites where the associated person intended to benefit, directly or indirectly, the company or those to whom services are provided (or their subsidiaries), eg customers and clients. This ‘indirect’ benefit is likely to provoke some debate. How might it apply, for example, to an employee who may be primarily motivated by personal gain, eg increased commission/bonus targets, but who knows and intends the company to benefit too? Or did not so intend but expresses in an internal investigation interview after the event that their intention all along had been to benefit the company.

The benefit requirement is slightly stricter where the associated person is an employee of a subsidiary. A failure to prevent fraud offence is only committed by the parent company if the employee intended to benefit the parent company, directly or indirectly.  

Extra-territorial effect

The Government’s factsheet on the new offence states that ‘if an employee commits fraud under UK law, or targeting UK victims, the employer could be prosecuted, even if the organisation (and the employee) are based overseas.’ This statement illustrates the ambitions for the potential scope of the new offence and has wider potential implications than had originally been anticipated by the Law Commission.

Given the extra-territorial effect of many of the offences above, this question of whether an offence is committed under UK law already encompasses extra-territorial conduct.  Certainly most of the underlying offences already have wide extra-territorial effect. The statutory offences listed above (except for fraudulent trading) were all given wide extra-territorial effect by s1 Criminal Justice Act 1993. This provides that the offences bite where a ‘relevant event’ occurs within England and Wales – meaning that an essential element must have occurred here, but not all elements.  Special provision was made for fraud offences; a ‘relevant event’ for the offences under ss2-4 Fraud Act 2006 includes where harm is suffered in the UK. Hence the reference to UK victims in the factsheet.

This appears to mean that a company could be prosecuted for the new failure to prevent fraud offence where, for example, it fails to stop a non-UK associated party from committing fraud abroad, provided some harm is felt in the UK or some other essential element of the fraud offence occurs here. The underlying fraud does not have to be prosecuted separately. The prosecution can decide just to pursue the company for failing to prevent the fraud.

In terms of non-UK businesses, these look to be within scope of the new failure to prevent fraud offence which applies to a ‘relevant body’ defined as a body corporate or a partnership wherever incorporated or formed. The Impact Assessment states that this includes foreign companies with UK operations. Therefore for overseas companies it will be essential when any fraud is committed to go through a careful legal and jurisdictional analysis to establish whether the new failure to prevent fraud offence applies.

Protections apply where the business has reasonable procedures to prevent fraud

Similar to the existing failure to prevent offences, the only defence would be that the company had reasonable procedures in place to prevent fraud or that it was reasonable not to have such procedures in place. In reality most large companies will require reasonable procedures and the Government will be required to publish guidance on this before the offence comes into force. Given the number of predicate fraud offences covered by the new offence and the myriad ways in which fraud can be committed both within and between different sectors, it will be interesting to see how the Government chooses to frame the guidance so that it achieves one of its objectives – driving better anti-fraud compliance.

What if the company is the victim of the fraud?

A large company is also not guilty if it is itself a victim of, or was intended to be a victim of, the fraud offence. However this concession does not apply where the person commits the fraud intending to benefit the company. It only applies where the intention was to benefit a person to whom services were being provided, eg a client or customer.

This helpful concession is therefore significantly undermined. Imagine, for example, a director acts in conflict of his duties in a way that he says was intended to benefit the company but in fact it does not benefit the company, but instead the company is a victim of his fraudulent behaviour. The company has potentially still committed the failure to prevent fraud offence. It is vital that this important ‘victim’ defence operates properly, as so many companies are themselves victims of fraud.

Individual director/officer liability

For many corporate criminal offences we often see linked officer liability for those that ‘consented, connived or neglected’ in relation to the misconduct. There is no expansion of individual criminal liability (for example for directors) connected to the new corporate offence.

Deferred prosecution agreements will be available

As expected, a company under investigation for this type of offence may be offered a deferred prosecution agreement (DPA). Most of the investigations of the failure to prevent bribery corporate offence have resulted in such settlements. This is perhaps why the Government’s Impact Assessment states that the number of additional court cases is expected to be low, although there is currently a growing trend for some companies not to enter into DPAs but instead plead guilty to failure to prevent offences.

Next steps from the Government

The Government will publish guidance on reasonable procedures. This is not expected to be published before Spring 2024. There is no commencement date yet for the new failure to prevent fraud offence but we would be expect this to be after the guidance is published.

Next steps for businesses

Businesses in scope will need to reassess risk and examine existing fraud detection and prevention processes against the new statutory guidance, when published, as well as fully documenting that process.

If the guidance is similar to that produced for the failure to prevent bribery and facilitation of tax evasion offences, companies will need to ensure:

• top-level commitment to preventing fraud
• that risks have been assessed and are kept under review
• that policies and procedures are in place and supported by appropriate training on fraud prevention issues
• that reasonable financial, commercial and accounting controls are in place to prevent fraud
• that conflicts of interest are avoided and internal functions are appropriately separated
• that appropriate enforcement mechanisms are in place, for example, through contracts of employment for employees and through general contractual terms for third parties
• that whistle-blowing procedures are adapted or adopted that cover fraud
• that anti-fraud measures are periodically monitored, reviewed and evaluated.

The Government’s Impact Assessment, when estimating set-up costs to business, assumes that for the largest organisations there will be a core team of five personnel working full-time who are managed by a project director devoting 20% of their time to the project. For the smallest companies it is assumed that one person carries out the work, reporting to the owner or chief executive. The requirement for top level commitment will mean that resource will be expected at the most senior levels too.

Looking ahead - enforcement

Examples given by those calling for reform during the various consultation processes have largely focussed on frauds causing loss to many, such as public procurement fraud  (fraud on tax payers) or fraudulent statements to markets (fraud on investors). While the offence would catch lesser frauds too, it is not unreasonable to expect enforcement authorities to be focused on these types of misconduct. Enforcement will of course depend on resources. 

Changes to the identification principle

The Act also makes significant changes to the way criminal liability for economic crimes more generally is attributed to a company via the conduct of a senior manager. Our separate blog post discusses the change and what it means for businesses.