After much debate and extensive review and consideration, new offences relating to corporate failings to prevent fraud are on the horizon, with implementation due in 2024.
The Economic Crime and Corporate Transparency Act (ECCT Act) has now received royal assent and is ever closer to becoming law.
Various proposed amendments had been passed back and forth between the Commons and the House of Lords, but the final version has taken shape, giving food for thought for those responsible for ensuring corporate compliance.
The ECCT Act follows on from the Economic Crime (Transparency and Enforcement) Act 2022, (ECTA Act) which was quickly ushered in following the Russian invasion of Ukraine.
The ECTA Act was the first stage of a new commitment to:
- bolster the UK's fraud legislation;
- strengthening Unexplained Wealth Orders;
- expanding UK sanctions laws; and
- creating a Register of Overseas Entities.
These were the first shots in the legislative salvo, with more promised.
Whilst the ECTA Act focused on assets and identity, corporate culpability reforms are now also firmly in the legislative sights.
There have been calls for reform for many years, with prosecutors decrying the hurdles they have had to overcome to prove a company had a ‘directing will and mind', be that one or more individuals, in order to prove culpability. The new ECCT Act however removes that burden, with the focus now on the systems and controls that a company has.
If reasonable (given the firms size, complexity etc.) prevention procedures are in place, then a defense is available, but if not, companies which meet the criteria of the ECCT Act can expect prosecutors to use these new powers with glee. The evidential baton is about to be passed over, so companies are well advised to review their systems and controls to ensure they are ready for the changes ahead. We look toward the UK and global financial services and wider regulated sector to understand what ‘good' systems and controls look like – this is due to the length of time, investment and refining that has taken place in wider economic crime elements, such as anti-money laundering (‘AML'), sanctions and bribery compliance for example. To this end we have drawn from a tried and tested framework and programme to group and expand the control elements. These include:
- Board Risk Appetite;
- Governance arrangements (staff/people/companies, IT systems, board arrangements);
- Risk Assessments;
- Policies and Procedures;
- Training and awareness programmes;
- Incident Management & Intelligence;
- Reporting (internal and external);
- Monitoring & Testing arrangements; and
- Data Management
There had been extensive speculation that the new proposed law would target individual liability, with directors and others in control being under scrutiny by virtue of their position, however there are no specific provisions for associated liability at this time.
Presently the intention is that individuals could still face charges themselves, but only for the offences they are said to have committed.
Which offences are covered by the ECCT Act?
Whilst AML is very much on the government's agenda, specific money laundering offences are considered well serviced by current regulatory and legislative powers, and are therefore not currently expanded upon in the new legislation. Instead, a list of specific offences are identified which are perhaps the most prevalent when fraud offences, money laundering aside, are prosecuted.
Are all companies liable under the proposals?
There has been speculation that the legislation would be extended to cover a range of companies, including SMEs, but the ECCT Act's swaying passage through parliament resisted change, and maintains the initial position that only large corporate entities and partnerships will be subject to the future law.
The ‘large organisation' applicability test below applies across all sectors, and includes large not for profit organisations.
In order to fall under the statutory umbrella, a company will be considered to be a, large organisation, if two of the following three statutory considerations are met in the financial year preceding the alleged offence occurring, these being:
- Turnover of more than £36 million;
- Balance sheet total more than £18 million; and or
- More than 250 employees.
Risky business or business risk?
For most businesses which fulfil the criteria of a large organisation, systems and controls will need to be a reasonable as possible to stand scrutiny if wrongdoing is suspected or alleged.
The legislation does however allow for the reasonable procedure obligation to be avoided, if was not reasonable in all the circumstances for the body to have any procedures in place. This is presumably applicable to low-risk businesses, but quite how that will be defined is yet to be seen.
More will be needed by way of guidance from the government prior to enforcement for a relevant body to properly assess and understand whether they could fall to be liable to have reasonable procedures, and even then, expert advice would be well advised to ensure compliance. The guidance should also set out a minimum criteria for what is expected to be reasonable procedures for companies for which they are required – we imagine that these will mirror to a certain extent the high level items listed by the Ministry of Justice for bribery, however, in the interim our nine-point risk management plan is what we are using to discuss planned controls with firms.
What are the elements of the offence?
There is a broad definition as to who could actually commit the offence, and thus render the relevant body potentially culpable. An ‘associated person', defined as an employee, agent or a subsidiary could commit the offence, and without the company's knowledge. Alternatively, they could be a person who performs services for or on behalf of the company. Such actions would need to be for the benefit of the company or subsidiary, or any person to whom they provide services on behalf of them.
Interestingly however, the relevant body would be deemed not guilty of the offence if they themselves were the actual or intended victim of the fraud. This is likely to throw up some creative legal challenges in due course where a company finds itself under scrutiny, as fraud by an individual will often be against the company they work for, but the company could actually benefit from other consequences of the fraud.
How far does the legislation extend?
The legislative tentacles would appear to stretch far and wide, with many of the offences listed already having extra-territorial reach where an element of the offence occurs in the UK, but does not have to be entirely based here.
Where there are UK victims or other UK nexus, companies could be prosecuted even if they and their associated people are based overseas. Similarly, as with bribery and tax evasion offences, UK entities will be responsible for actions of their employees, agents and subsidiaries across the globe.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.