In the following guest post, Mark Sutton and Leah Barratt take a look at the proposed Economic Crime and Corporate Transparency Bill, a piece of legislation currently pending in the U.K. Mark is a Partner and Leah is a Senior Associate in the Clyde & Co. law firm. A version of the article previously was published on the Clyde & Co. website. I would like to thank Mark and Leah for allowing me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Mark and Leah’s article.
***********************
According to a recent factsheet issued by the UK Government, fraud made up 41% of all crime in the UK in the year ending September 2022.[i] It comes as little surprise, therefore, that the UK Government has announced its intention to tackle the problem and importantly, the solution comes from the inside out. Organisations will be held to account through the introduction of the new corporate criminal offence of “failure to prevent fraud.”
The offence will be introduced through the Economic Crime and Corporate Transparency Bill (the “Bill”) which is currently going through the legislative process in the UK. Although there may be further refinements to the Bill, the overall intention, it seems, is to drive a cultural change in attitudes towards fraud by shining a light on an organisation’s own affairs. Organisations, including those based outside of the UK, will have to look inwardly at their own procedures and establish whether they need to take further action to prevent fraud on the organisation itself or to others. In that sense, the aim of this legislation is not to prevent “fraud” as we ordinarily know it. It is broader than banking fraud and online fraud: its aim is to prevent fraud being committed by an employee of an organisation with a view to the organisation itself benefitting.
In this article, we discuss the key elements of the proposed offence, its international reach, the potential steps an organisation might take to help prevent fraud (and thereby improve its defence to the offence), what the offence means for insurers and the points they need to start considering.
What is the new corporate offence of failure to prevent fraud and what are the sanctions?
In general terms, the offence provides that organisations will commit an offence if an “associated person” commits a fraud offence whilst intending to benefit: (a) the organisation; or (b) any person who receives services from the organisation.
There are several underlying fraud and false accounting offences which underpin the corporate offence. These include fraud by false representation, fraud by failing to disclose information, false statements by company directors and fraudulent trading. Money laundering offences are not included under the new offence on the basis that adequate provision has already been made in the existing regulatory regime.
According to the UK Government’s press release on the subject, the offence is designed to capture dishonest sales practices, false accounting and hiding important information from consumers or investors[ii]. In that sense, it allows for an organisation to be accountable for the actions of junior managers, who may have committed offences to inflate their team’s performance to senior management[iii].
If convicted, an organisation can receive an unlimited fine. There will be no limit to the circumstances which a Court can take into account when deciding the appropriate level of fine.
How will the impact be felt internationally?
There is no geographical restriction on the scope of the offence, which means that even international organisations could be at risk of committing the offence if they have a branch in the UK or operate a UK subsidiary. The UK Government has confirmed that the offence will apply where an employee commits fraud under UK law or targets UK victims, even if the organisation and employee are based overseas.i
Advocates for this extra-territorial scope suggest that it is necessary to capture the global nature of this type of corporate activity[iv]. In other words, that fraud is an international problem, and therefore it requires far-reaching measures to tackle it.
Conversely, opponents of the new regime ask why an entity in one jurisdiction, such as the UK, should be held accountable for the actions of a legally-distinct entity in another.[v] They also suggest that the breadth of the “associated person” definition might mean that employees/consultants/advisers of a subsidiary in a non-UK jurisdiction, are regarded as “associated persons” of the UK parent company. Perhaps the bigger question raised by these opponents is if an employee of an overseas subsidiary commits a fraud on a customer of the subsidiary in the relevant overseas jurisdiction, is that really a proper matter for the criminal jurisdiction of the UK.
Either because of, or despite, these questions, there remains some uncertainty about the extra-territorial application of the offence. What is clear though is that even international organisations may fall within the scope of the offence (subject to certain criteria, discussed below) and that to afford itself the best protection, an organisation will need to implement its policies and procedures consistently across all international branches and subsidiaries. We address these points further below.
Which organisations will be affected?
The offence applies to all large companies and partnerships, large not-for-profit organisations (such as charities) and public bodies incorporated in the UK. To qualify as a “large” organisation (as defined under the Companies Act 2006), the body must satisfy at least two out of three of the following criteria: (i) more than 250 employees; (ii) more than £36 million turnover; and/or (iii) more than £18 million in total assets.
Who is an “associated person”?
An associated person will be anyone who is an employee, agent or subsidiary of the organisation, or anyone who performs services for or on behalf of the organisation. This could include, therefore, consultants and advisers, whether they are employed by the organisation or not. Importantly, it appears that the associated person could be based outside the UK and/or be engaged by a non-UK organisation and yet still fall within the scope of the offence.
Are there any carve-outs available?
An organisation will not be criminally liable if it is a victim, or intended victim, of the fraud. This means that if an employee commits a fraud on its own employer, such that the organisation becomes the victim, the organisation will not have committed the offence.
An organisation will also have a defence if it can prove that it either had reasonable procedures in place to prevent the fraud, or that it was reasonable not to have such procedures (such as where the risk of fraud is extremely low)i.
What might reasonable procedures look like?
The UK Government will publish guidance on good practice in due course, which will outline the kinds of reasonable procedures that organisations will be advised to implement to prevent fraud occurring. It is likely that adherence to such guidance will form the benchmark for determining the reasonableness of the procedures in place.
One might assume that the Government will mirror the procedural framework that it has laid down for the offences of failure to prevent the facilitation of tax evasion, under the Criminal Finances Act 2017, and failure to prevent bribery, under the Bribery Act 2010 (albeit the latter has the higher threshold of “adequate procedures”). We can therefore speculate that the Government’s guidance may include the following recommendations:
- the organisation should develop a fraud prevention programme comprising a policy of zero-tolerance to fraud and detailed policies and procedures for the prevention of fraud;
- the policies and procedures should be developed following risk assessments to ensure that they adequately cover the risks posed to the organisation. There should be a procedure for regular risk assessments to ensure that the organisation’s policies continue to protect against the specific risks posed to it;
- HR policies and practices should be developed with the requirement for mandatory training and clearly-communicated sanctions for violation. The programme should be incorporated into employee contracts and performance appraisals;
- there are procedures to ensure the organisation is informed of emerging best practices; and
- board members and senior executives should have oversight of the programme.
Businesses will need to reflect on their current fraud prevention procedures and consider whether they need to develop new procedures to meet the statutory guidance, or whether they can adapt or extend their current procedures to meet that standard. In order to comprehensively protect itself, the organisation will need to implement the relevant procedures and practices at a global level. Any deficiencies may cause the organisation to fall short of the “reasonable” procedures it must implement to avail itself of the defence.
The initial effort required in the designing of programmes, risk assessments and procedures in order to meet the threshold is likely to be extensive, particularly where an organisation spans multiple jurisdictions. Of equal importance, however, will be effective implementation, which will require the global co-ordination and commitment of HR management and the organisation’s employees.
What impact will the new offence have on organisations?
The new offence will ultimately make it easier to convict organisations of failing to prevent fraud which is committed by its associated persons.
The Impact Assessment prepared by the Home Office indicates that prosecutions are likely to be limited in numberiii. The expectation, it appears, is that cases will result in a Deferred Prosecution Agreement (“DPA”) in common with other “failure to prevent” regimes. Under a DPA, the prosecution of an organisation can be suspended on several conditions. These conditions usually require the organisation to take remedial action and to co-operate with the Serious Fraud Office (“SFO”) in its ongoing investigations, which often concern the executives involved in the wrongdoing. Importantly, the SFO’s reach extends to foreign companies where they have a UK presence. As a result, D&Os may face a greater exposure to subsequent prosecutions (though, so far, the SFO has only secured one conviction against an individual further to a DPA).
What will be the impact for Insurers?
Whilst the Bill goes through the legislative process, there may be further amendments to the scope of the offence and/or the sanctions associated with it. What is clear though, is that the companies themselves are the conduit for reform. They will be held accountable for the criminal conduct of their employees, widening the pool of potential culpability.
Insured entities
Insured entities may therefore seek extended Side C cover under a D&O policy and/or cover under their civil liability insurance in respect of claims for their failure to prevent fraud. If they do, it is unlikely that it will be challenging to meet the requirement for a wrongful act or omission. One can foresee situations in which the definition might be fulfilled automatically upon commission of the fraud, given the strict-liability style of the offence.
Looking further at the components of the insuring clause, insurers are faced with a striking irony: the offence is committed where the organisation benefits from the fraud committed by its associated person, yet that same organisation is entitled to present a claim to insurers for the “Losses” it has sustained by virtue of the fraud. Whilst this is not in itself prohibitive to cover, it does pose wider public policy questions of whether an organisation should benefit from insurance cover in respect of a prosecution where it has already been found that the company has benefitted from the underlying fraud. The answer is likely to lie in whether the organisation’s conduct was morally reprehensible. Ordinarily, insurers may look to the conduct exclusion to protect themselves in such circumstances, but the absence of any requirement of dishonesty for the offence to be made out against the organisation means that the conduct exclusion may not be applicable until a final conviction against the entity, or an admission. It will be important for insurers to review the conduct exclusion with this in mind, in addition to (and not instead of) the fact that the underlying fraud offence requires the perpetrator to have acted dishonestly in the first place.
What is clear though, is that any criminal fines and penalties imposed on an organisation would still be excluded from cover, at least under English law.
As we have discussed above, the SFO has powers to investigate individuals and companies both in the UK and even abroad if certain conditions are fulfilled. The implementation of this new offence, coupled with its apparent extra-territorial reach, may, in turn, result in more claims for investigation costs and pre-investigation costs. Insurers will therefore need to be clear on the trigger for these covers and their scope.
In a similar vein, where a DPA is granted, an organisation may have a continuing duty to co-operate with the SFO, meaning that it may be required to provide evidence for the SFO’s investigation. The disclosure of such evidence may increase the potential for prosecutions of individuals, which in turn may trigger the advancement of defence costs to those insured persons.
Individuals
In light of that, one might also expect more civil claims and/or criminal prosecutions to be pursued against senior management or the “associated persons”. Cover may be afforded to individuals, under a civil liability policy or under Side A or B of a D&O policy. Irrespective of the way the claim is presented, Insurers will need to have careful regard to the “Insured Persons” definition to ensure that the appropriate level of cover is afforded to the individual (particularly where the individual is also the “associated person”) and that cover is not afforded to those for whom it was not intended.
Conclusion
Through the introduction of the failure to prevent fraud offence, large organisations look to become the new stewards of economic and cultural change and they will have to bear greater responsibility as a result. The new legislation will shift the burden of combatting economic crime onto those entities and they will have to look inwardly at their procedures and processes to ensure that they are reasonable by reference to the incoming government guidelines. Inevitably, some will slip through the net, so insurers would do well to consider what steps they can take ahead of time to ensure that their policies respond only in the way that is intended.
[i] UK Government Policy Paper “Factsheet: failure to prevent fraud offence”, updated 11 April 2023. It can be found here.
[ii] News Story: “New crackdown on fraud introduced by the Home Office” published 11 April 2023, found here
[iii] The Home Office Impact Assessment, “Introducing a failure to prevent fraud offence covering all large organisations” dated 23 November 2022. It can be found here.
[iv] “Corporate Criminal Liability: an options paper” by the Law Commission, 10 June 2022, page 97, paragraphs 8.39 to 8.41
[v] “Corporate Criminal Liability: an options paper” by the Law Commission, 10 June 2022, page 98, paragraph 8.43