Expansion of the UK’s corporate criminal liability regime

The Economic Crime and Corporate Transparency Act is the latest piece of legislation introduced by the UK Government to combat economic crime and strengthen corporate transparency. It builds on, and supplements, the Economic Crime (Transparency and Enforcement) Act 2022, which created a Register of Overseas Entities, reformed the UK unexplained wealth order regime and allowed the UK Government to act more efficiently when imposing sanctions. The ECCTA expands on the transparency, corporate liability and sanctions reforms introduced by its predecessor.

As we will explain further below, the amendments introduced by the ECCTA, the application of which is in part extra-territorial, are relevant for Norwegian companies with UK subsidiaries or operations.

This article will focus on the expansion of corporate criminal liability through the ECCTA’s introduction of the ‘failure to prevent fraud’ offence and reform of the identification doctrine (the manner for attributing corporate criminal liability under English law). In addition to these reforms, we briefly mention that the ECCTA contains several requirements relating to the registration of companies in the UK, including to enhance the powers of the UK Companies House, introduce new company registration requirements and identity verification requirements for company directors and people with significant control, and increase the transparency of ownership and governance of UK corporate entities.

‘Failure to prevent fraud’ as a new criminal offence

The ECCTA introduces ‘failure to prevent fraud’ as a criminal offence for companies and partnerships (together referred to as ‘organisations’) . The offence builds on existing offences such as the failure to prevent facilitation of tax evasion under the UK Criminal Finances Act 2017 and failure to prevent bribery under the UK Bribery Act 2010. As with these offences, the failure to prevent fraud offence applies across all commercial sectors. However, unlike the pre-existing ‘failure to prevent’ offences, the offence under the ECCTA is limited to ‘large organisations’.
Section 201 of the ECCTA defines ‘large organisations’ as bodies that satisfy at least two of the following three conditions in the financial year preceding the fraud offence:

1. More than £36 million turnover
2. More than £18 million in total assets on the balance sheet
3. More than 250 employees 

Pursuant to Section 202, the offence also applies to parent companies (including non-UK parent companies, if there is UK nexus) if the group satisfies, in aggregate, at least two of the following three conditions in the financial year preceding the fraud offence:

1. More than £36 million net (or £43.2 ­million gross) turnover
2. More than £18 million net (or £21.6 ­million gross) in total assets on the ­balance sheet
3. More than 250 employees

It is possible that the scope will expand in the future to include small and medium sized enterprises (SMEs), since the thresholds can be amended by secondary legislation. 

Importantly, the failure to prevent fraud offence has a wide extra-territorial application. The UK Government’s Factsheet about the new offence states that if an employee commits fraud under UK law, or targeting UK victims, the employer could be prosecuted, even if the organisation or the employee is based overseas. Since most of the listed offences already have a wide extra-territorial application, Norwegian companies with UK operations could be liable if an associated person commits fraud or an essential element of fraud in the UK, or if some harmful impact of the offence is felt in the UK (e.g., the offence targets UK victims). 

For organisations to be liable for the failure to prevent fraud, three conditions must be present: 

1. a specified economic offence must be committed by an ‘associated person’, i.e. an employee, agent or subsidiary of the organisation, or a person that otherwise performs services for or on behalf of the body 
2. the offence must be intended to benefit, directly or indirectly, the organisation or any person to whom the organisation provides services (e.g. customers or clients) 
3. the organisation must not have had reasonable fraud prevention procedures in place. 

The term ‘associated person’ is defined broader in the ECCTA than its counterparts in the failure to prevent bribery and failure to prevent facilitation of tax evasion offences. Under the latter offences, subsidiaries and employees will only be ‘associated persons’ if they perform services for or on behalf of the organisation (albeit that there is a (rebuttable) presumption that employees will be considered associated persons of their employer company). In contrast, all subsidiaries and employees are automatically considered ‘associated persons’ by virtue of section 199(5) of the ECCTA. It remains to be seen whether these distinctions in the respective legislative texts – which may create problems in practice if equivalent terms are given different meanings – will remain once the government guidance on the failure to prevent fraud offence is published.

Liability is not dependent on the company being aware of the fraud. Nonetheless, the organisation will not be liable if it was, or was intended to be, a victim of the fraud offence. This concession only applies where the offence was intended to benefit a client or customer of the organisation, and not where it was intended to benefit the organisation.

The UK government will publish a list of economic offences to which the duty to prevent fraud will apply. The list will include false accounting, as well as core offences under the UK Fraud Act 2006, such as false representation, failure to disclose information and abuse of position. Additionally, obtaining services ­dishonestly, participation in a fraudulent business, fraudulent trading, false ­statements by company directors, and cheating the ­public revenue will be covered. Money laundering will not be considered an ­offence under the new provision, as ­legislators considered it already addressed by existing regimes. Further offences can be added by secondary legislation, ­provided that they involve ‘dishonesty’, are of a similar character to those listed, or are relevant money laundering offences under Section 327 to 329 of the Proceeds of Crime Act 2002 (concealing, arrangements, and acquisition, use and possession).

Moreover, the failure to prevent fraud offence also includes ‘aiding, abetting, counselling or procuring the commission of a listed offence’. Thus, a company could be liable in cases in which an employee has assisted another entity in committing an offence intended to benefit the company or its clients.

Organisations will benefit from a defence to the failure to prevent fraud offence if they can prove that they had reasonable procedures in place to prevent the fraud, or that it was not reasonable to expect any prevention procedures to be in place. This must be decided in light of ‘all the circumstances’. The Act’s use of the term ‘reasonable procedures’ reflects the recent shift in the UK legal landscape – including by the House of Lords Bribery Act 2010 Committee and the UK Law Commission – from a requirement that prevention procedures should be ‘adequate’, to the expectation that they must be ‘reasonable’. This, in turn, reflects a fear that the term ‘adequate’ would be interpreted so strictly that no defendant company would be able to avail itself of the defence. The Government is required to issue guidance about procedures which are considered reasonable in this regard, and such guidance is expected to be published in spring 2024.

Based on the UK Government’s guidance to the failure to prevent bribery and failure to prevent facilitation of tax evasion offences, it is expected that the guidance may cover the following topics:

• Having in place proportionate procedures to prevent economic crimes 
• Top-level commitment to preventing bribery by associated persons
• Undertaking periodic, informed and documented risk assessments
• Implementing due diligence procedures
• Communication and training
• Monitoring and review of procedures designed to prevent fraud

The failure to prevent fraud offence is expected to enter into force after the UK Government’s guidance on reasonable procedures has been published. If convicted, the organisation is liable to a fine, a limit for which is not stated in the ECCTA.

Reform of the identification doctrine expanding corporate criminal liability for economic crimes

The identification doctrine entails that where a specific mental state (e.g. intent, dishonesty or recklessness) is a prerequisite for an offence, a company would only be liable if a person representing the ‘directing mind and will’ of the company possessed the required mental state. This evidential hurdle has proved challenging for prosecutors in practice, however, in particular with respect to larger organisations (as also illustrated by a number of high-profile prosecutorial failures by the UK’s Serious Fraud Office in later years). To make it easier to prosecute companies for criminal wrongdoing, and aiming to establish a more effective deterrent, the ECCTA expands the extent to which companies and partnerships can be held criminally liable for economic crimes. This expansion entered into force on 26 December 2023.

Under Section 196 of the ECCTA, organisations will be guilty of a ‘relevant offence’ committed by a ‘senior manager’ acting within the actual or apparent scope of their authority. This also applies where the senior manager attempts or conspires to commit an economic crime as defined in the Act. Unlike the ‘failure to prevent fraud’ offence, the reform of the identification doctrine applies to all companies regardless of size.

A ‘senior manager’ is defined as an individual who plays a significant role in:

1. the decision-making about how the organisation’s activities, or a significant part of the organisation’s activities are to be managed or organised, or
2. the actual managing or organising of the whole or a substantial part of those activities

Schedule 12 of the Act contains a list of ‘relevant offences’ of an economic nature, including the offences covered by the failure to prevent offence, as well as others, such as money laundering, offences relating to sanctions and terrorist financing, and certain financial services offences under the Financial Services and Markets Act 2000. 

In its Factsheet about the reform, the UK Government outlines its intention to extend the identification doctrine reform to all criminal offences in due course. This means that companies will need to put in place measures to prevent employees, agents, subsidiaries and other associated persons from committing a wider range of economic crimes than those covered by the ‘failure to prevent fraud’ offence.

If no act or omission forming part of the offence takes place in the UK, the organisation is only guilty of an offence if it would be guilty of the relevant offence in the country in which it was committed. Since most of the ‘relevant offences’ under the ECCTA are offences also under Norwegian law, the reform of the identification principle will also potentially affect UK subsidiaries of Norwegian companies, even where the offence itself is committed in Norway, provided there is still some form of UK nexus / involvement of the UK subsidiary. It is worth noting, however, that Norwegian law already allows for attribution of corporate liability where an offence has been committed by a senior manager who has acted on behalf of a company, and this concept as such should therefore already be well-known to Norwegian entities.