Failure to prevent fraud: Corporate crime enters the C-Suite

Many larger corporates in the UK will face criminal investigation and prosecution if fraud or other offences by employees benefit the company.

A new criminal offence directed at corporates, “failure to prevent fraud”, has been proposed by the UK Government. The measure is within the Economic Crime and Corporate Transparency Bill, which has almost completed its passage through Parliament. The Bill has broad bi-partisan support and is expected to become law before Spring 2024.  

The new law, which only applies to larger organizations, has been described by the Director of the Serious Fraud Office as a “game changer for law enforcement”. It will mean that many larger corporate enterprises in the UK will face criminal investigation and prosecution if fraud or other offences by employees or others have benefitted the company, regardless of the state of mind of directors and senior managers.

At the same time, the UK Government is also proposing to widen the traditional test for corporate criminality for all organizations, not just larger ones, and widen the investigatory powers of UK law-enforcement relating to economic crime.

Fraud prevention processes

Prevention is far better than cure, and companies should consider their fraud prevention processes and infrastructure now. Substantial anti-fraud governance and processes will benefit the overall businesses and be vital to their defence, should they find themselves subject to a criminal investigation under the new law.

The Government’s objective is to prevent fraud and protect victims by driving a shift in corporate culture. It is expected that penalizing organizations which profit from fraud committed by their employees or agents, will be disincentivize the temptation to turn a blind eye to warning signs and incentivize effective fraud prevention procedures.

Currently, if a fraud takes place within a company, the company will only be found liable if a person who can be identified as the “directing mind and will” of the company has the relevant dishonest state of mind. This is called the ‘identification doctrine’ and has its roots in concepts of corporate identity and governance developed in the 19th century. As companies have grown larger and more complex, their central management is typically far more distant from day-to-day operations than in the past. A director or other person qualifying under the “directing mind” test in a large company is far less likely to have direct knowledge of specific conduct by staff.

This is said to have created a loophole. Outside of specially created statutory regimes (such as health and safety, bribery, or corporate manslaughter) a larger company is less likely to face a charge than a smaller one, even though wrongdoing by larger companies may well do more harm.  

Reforms to the identification doctrine itself are also being proposed. However, the failure to prevent offence is entirely new.

Criminal conduct

Under draft amendments introduced on April 11, 2023 to the Economic Crime and Corporate Transparency Bill 2023, a company or partnership which meets certain size and turnover criteria would be guilty of an offence if it has “failed to prevent” the criminal conduct of an employee, agent or subsidiary and the intent of the perpetrator is to benefit the company. 

There will be no need to identify a single person as the “directing mind and will” of the company, as under the current law, neither will there be any need to demonstrate that those heading the company ordered or knew about the fraud. The offence will not be committed if the company itself is the actual or intended victim, although the perpetrators would still be criminally liable for the underlying fraudulent conduct.

The penalty could be an unlimited fine, the size of which would be determined by the Court and could be expressed as a multiple of the company’s gains or profits.

Large companies affected

The Government’s aim is to include only what are thought of as large organisations in the regime. Large organisations are defined as satisfying two of the following criteria:

  • revenue greater than £36m ($45m);
  • balance sheet total greater than £18m ($22.6);
  • more than 250 employees.

These tests are to be applied to the financial year in which the offence is alleged to have occurred. At present, companies that do not meet the criteria will be exempt from the offence. However, they will remain subject to the “identification principle”.

The failure to prevent fraud offence will be limited to commercial organisations (i.e., corporate bodies such as companies and partnerships). The amendment does not materially increase the exposure of individual company employees or officers to criminal legal risk, although the new enforcement environment will mean that the risk of detection of any personal dishonesty is bound to go up.

The draft legislation restricts the application of the offence to a limited definition of “economic” crime.

Among the relevant offences currently defined are:

  • Fraud by failing to disclose information (section 3, Fraud Act 2006).
  • Fraud by false representation (section 2, Fraud Act 2006).
  • Fraud by abuse of position (section 4, Fraud Act 2006).
  • False accounting (section 17, Theft Act 1968).
  • Tax-evasion (“cheating the revenue”) (common law).
  • False Statements by Company Directors (section 19, Theft Act 1968).
  • Fraudulent Trading (section 993, Companies Act 2006.
  • Participation in a fraudulent business (section 9, Fraud Act 2009).
  • Obtaining services dishonestly (section 11 Fraud Act 2006).

The types of conduct that could be caught are wide and far reaching. According to Home Office Guidance, conduct caught will include “dishonest sales practices, false accounting and hiding important information from consumers or investors” and “dishonest practices in financial markets”. Other crimes such as insider-dealing, money-laundering or cartel offences are presently excluded from the Government’s draft (albeit including money-laundering has been proposed in non-Government amendments in the House of Lords).  

Much like the Bribery Act 2010, the Failure to Prevent Fraud offence will be subject to a defence – that the organisation in question had in place “such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place”.

Directing mind and senior managers

The new amendments will completely reform the identification doctrine in respect of economic crimes, which has so far meant that corporate liability only typically arises where higher levels of senior management are involved. The new amendment introduces what we call the Attribution Principle. This is a test based on the definition of “senior manager” that was first promulgated in the Corporate Manslaughter and Corporate Homicide Act 2007 (CMCHA 2007).

Instead of corporate liability arising only when a person with the “directing mind and will” of the company is proved to have participated in the alleged crime, the Attribution Principle would apply when a company has delegated responsibility for actions of which even its directors may be unaware.

Whether a person is a “senior manager” will not depend on their job-title but will be defined contextually. Relevant factors in each case will include:

  • the person’s roles and responsibilities;
  • the level of managerial influence they might exert in the day-to-day running of the part of the businesses suspected to be at fault;
  • if they play a significant role in the making of decisions about the whole or a substantial part of the activities of the corporate body.

The penalties for corporate convictions arising as a result of the application of this new principle will be no different to those in existing law. Fines may be unlimited for companies. For individuals, individual liability and directorial disqualification may well follow.

Scope of the Attribution Principle amendment

The Government states that the intention behind this amendment is to “overcome the narrow interpretation of corporate liability established by case law”, and to enable the UK to “bring proceedings in high-profile cross-border economic crime cases in support of partner agencies such as the US Department of Justice”.

It seems that this is the start of yet wider reform in the sphere of Economic Crime. The Government states that it is “committed to extending this to all crimes when Parliamentary time allows in Economic Crime Plan 2 and the Fraud Strategy”.

Under clause 195 “Attributing criminal liability for economic crimes to certain bodies”, corporate liability for economic crimes will arise if:

  • a “senior manager” of a company,
  • acting within the “actual or apparent scope of their authority”
  • commits an economic crime, or encourages, assists, aids, abets, counsels, procures, or conspires with another to do so, or attempts such an offence.

“Senior managers” are defined as those who either “manage or organise” a “substantial part of the activities” of the company in question, or who play a “significant role” in doing so. The penalty could be an unlimited fine, the size of which would be determined by the Court and could be expressed as a multiple of the company’s gains or profits. Unlike the Failure to Prevent Fraud offence, the defence of “reasonable procedures” will not be available to corporates. Instead, the case for the defence will depend on the evidence in the case at hand.

Risks to businesses

The scope of this new “attribution principle” is broad. The key risks to businesses are:

  1. increased risk of criminal liability for corporates;
  2. the definition of senior manager is contextual, and thus it could in theory  encompass anybody, regardless of job title, who appears to be acting within their authority  and who  plays a significant role in the day-to-day management of a company.
  3. unlike the Failure to Prevent offence, there is no statutory restriction on prosecuting companies under this principle, even where the company itself was the victim. Nevertheless, we think it would be extraordinary if a victim were prosecuted in a “real world” situation;
  4. the types of conduct caught are as broad as those identified above under the failure to prevent offence, and it is quite possible that we will see an expansion of the Attribution Principle” for corporate criminal liability across a wider range of criminal offending in years to come.

International reach

Conduct committed abroad by a person through whom corporate liability may be attributed to the company, could still be caught by UK criminal law, if it is the case that the company would be guilty of the relevant offence “had it carried out the acts that constituted that offence (in the location where the acts took place)”.

This appears to be a recasting of a similar concept in proceeds of crime and extradition legislation, If enacted, this would expand the traditional jurisdiction of UK corporate criminal law.

Expanded investigatory powers

The UK Serious Fraud Office (SFO) has significant powers of compulsion of evidence, whether from witnesses or as regards documents. However, this tends to be limited to a point in time when an investigation has been officially opened. Only in cases of international corruption and bribery can the SFO compel evidence before an investigation is opened (ie to determine whether to do so).

Another proposed provision of the Economic Crime and Corporate Transparency Act is to expand those powers to cases involving a much wider menu of potential crimes, and to allow them in both domestic and international matters. This is likely to have significant practical effects enabling the SFO to filter cases earlier and more efficiently, but it will also increase the burden on UK corporates as more demands can be expected. Some SFO’s demands are compulsory and cannot be ignored.  

This reform alone would give rise to an up-tick in investigations and documentary demands from the SFO. Combined with the substantive legal reforms contained in the Failure to Prevent Offence and the Attribution Principle, they are likely to trigger a considerable intensification of enforcement activity by UK authorities, in particular the SFO, over the next three to five years.

Three key steps

Risk analysisTo identify those areas of their business that present risk under the new legislation.The analytical focus should on the type of conduct identified in the definition of “economic crime” in the draft bill. Each business will be different, but workstreams at greater risk might include those engaged in sales in less regulated markets, in a procurement function, and those departments with a high dependence on third party vendors or service providers.  
Audit existing fraud controlsTo understand the scale and nature of existing risk within the organization.Review every area of the business, and specifically include areas such as sales, the supply chain, billing mechanisms and third-party vendor and cost approval processes.     
Update and implement fraud controlsTo mitigate risk and train employeesBased on the review and audit, update existing policies and put in place working processes. Include the creation of processes for investigating a breach of a policy or an instance of fraud. Embed within business processes and communicate to all employees. A rolling training programme may assist the workforce in reducing risk in their areas.

Defence of reasonable procedures

What happens if a business finds itself subject to an investigation?

We expect there to be a transitional period prior to this part of the Bill becoming law.  This will not occur until official Guidance on suitable anti-fraud procedures is made available by the UK Government.

What will be considered reasonable procedures?

The nature of what is, or is not, a reasonable procedure, and how one can tell in advance of any criminality occurring, will be impossible to define in the abstract.

The burden of proof of reasonableness will be on the defending company.

The Government will publish guidance providing organizations with more information about reasonable procedures before the new offence comes into force.

Whilst the Guidance is likely to contain examples and explanations, we expect it to be caveated such that each case will still have to be assessed on its unique facts. The test of reasonableness will likely vary according to the risk which each individual company happens to face.

Failure to prevent and senior managers: resolving cases

The new law appears to soften the defence in the Bribery Act of having in place “adequate procedures”. A defence of “reasonable” procedures will, we expect, be assessed against what a company could reasonably be expected to achieve, as opposed to whether or not the procedures were “adequate” against a single benchmark standard. It is, perhaps, an indicator that only serious cases will be expected make it to court and that the SFO may look to alternative resolution of suspected failures to prevent fraud.

Those alternative resolutions will likely include Deferred Prosecution Agreements (under the Crime and Courts Act 2013). Government amendments to the Economic Crime Bill propose including the failure to prevent fraud offence in that regime. This would allow prosecutors to resolve corporate cases without a trial, as is the case with bribery. As with bribery cases, we would expect that over time such agreed resolutions will become the norm for affected companies.

However, the reasonable procedures defence will not apply to cases where the basis of liability is not Failure to Prevent”, but more traditional charges which turn on the Attribution Principle, although many such offences may also be resolved by Deferred Prosecution Agreements.

Three steps to reasonable prevention

Those familiar with the Bribery Act 2010 will recognise the “failure to prevent” model and the new law will represent an extension of existing failure to prevent procedures.

The critical difference is that whilst the Bribery Act scheme required a focus on a narrowly-defined set of anti-corruption offences, the new failure to prevent fraud offence will require appreciation of a wide range of potentially fraudulent activity.

From a legal point of view, the draft legislation represents a further step in the direction of “criminalization” of corporate governance, which has been a long-term trend since the 1990s. There will be a meaningful increase in the potential impact of serious misconduct by corporate employees, or anyone else representing large companies. As a result, the issues of fraud and appropriate compliance and controls are bound to loom larger on the average risk-register and legal team’s agenda.

Most, if not all, large businesses will need to dedicate some resources to assessing their exposure to the risk of fraud perpetrated within their business, by their employees or agents acting on their behalf and the range of actors for whom companies might be liable could yet be extended.

Eoin O’Shea is a partner and head of White Collar Practice and Kitty St Aubyn is a senior associate (barrister) practising primarily in the Corporate Crime group in the law firm CMS.