The Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) has enacted a new failure to prevent fraud offence which will come into effect on 1 September 2025.
Global asset managers in particular should be aware that the new offence has extraterritorial reach, applying not just to UK affiliates, but to any involvement in fraudulent activity with a UK nexus.
ECCTA 2023 provides "Section 199 Failure to prevent fraud
1) A relevant body which is a large organisation1 is guilty of an offence if, in a financial year of the body ("the year of the fraud offence")2, a person who is associated with the body ("the associate")3 commits a fraud offence intending to benefit (whether directly or indirectly)—
a) the relevant body, or
b) any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.
2) A relevant body is also guilty of an offence under subsection (1) if—
a) an employee of the relevant body commits a fraud offence intending to benefit (whether directly or indirectly) the relevant body,
b) the fraud offence is committed in a financial year of a parent undertaking of which the relevant body is a subsidiary undertaking ("the year of the fraud offence"), and
c) the parent undertaking is a relevant body which is a large organisation."
Section 199 is intended to increase corporate responsibility for fraud committed in the UK. Those familiar with the provisions of the Bribery Act 2010 (Bribery Act) may notice similarities between the two pieces of legislation, with a corporate being vicariously liable of their employees or associates. The new office is extraterritorial in effect, applying to any large organisation and its subsidiaries, whether or not based in the UK, if they are involved in a fraud which has a UK nexus.
Liability is defined by (a) whether the corporate comes within the definition of a Large Organisation and (b) whether a fraud offence was committed in the UK by a person who is associated with the Large Organisation for the benefit of the Large Organisation or its clients. Specifically, the Large Organisation need not be a UK entity and the definition of associated person is wider than the equivalent definition used in the Bribery Act. ECCTA 2023 further expands the pool of inpiduals, including senior managers and associated persons, whose conduct can create liability for the corporate. This is expected to significantly lower the bar for UK prosecutors and, coupled with increased budgets, will undoubtedly embolden the Serious Fraud Office and other UK enforcement agencies who have brought a string of unsuccessful high-profile corporate prosecution cases in recent years.
In terms of territoriality, there just needs to be a UK nexus – namely that one of the acts of fraud took place in the UK or that the gain (or loss) occurred in the UK. The Home Office has provided guidance to organisations on the offence of failure to prevent fraud (Guidance),4 and specifically includes a section on Territoriality. The Guidance states "If an employee or associated person of an overseas-based organisation commits fraud in the UK, or [is] targeting victims in the UK, the organisation could be prosecuted. The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus."
A defence is available if the relevant corporate can show that it has appropriate prevention procedures in place to prevent persons associated with the body from committing fraud offences.5
Reasonable Fraud Prevent Procedures
The Guidance provides information on the procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences. The fraud prevention framework that a 'relevant organisation'6 puts in place should be informed by the following six principles, each of which is considered in detail in Chapter 3 of the Guidance:
1) Top level commitment - Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation. The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.
2) Risk assessment - The organisation assesses the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment is dynamic, documented and kept under regular review.
3) Proportionate risk-based prevention procedures - An organisation's procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation's activities. They are also clear, practical, accessible, effectively implemented and enforced.
4) Due diligence - The organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.
5) Communication (including training) - The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.
6) Monitoring and review - The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.
The Guidance specifically notes that the principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in. Relevant bodies will most likely have experience of putting similar policies in place under the Bribery Act - the fraud prevention procedures set down in the Guidance are based on the same six principles.
Establish Procedures
Entities in scope of the new offence – including those based outside the UK but with a UK nexus - should establish procedures that prevent associated persons from committing a fraud offence.
Footnotes
1. See section 201 and section 202 of ECCTA 2023 for definitions of "Large organisations" and "Large organisations: parent undertakings". In brief summary, a large organisation is such if it meets at least two of the following criteria in the financial year that precedes the year of the fraud offence: (i) Turnover greater than £36 million; (ii) More than £18 million in total assets or (iii) More than 250 employees. (s 201 ECCTA 2023).
2. Per section 199 (6) "A "fraud offence" is an act which constitutes— (a) an offence listed in Schedule 13 (a "listed offence"), or (b) aiding, abetting, counselling or procuring the commission of a listed offence."
3. Per section 199 (7) "a person is associated with a relevant body if— (a) the person is an employee, agent or subsidiary undertaking of the relevant body, or (b) the person otherwise performs services for or on behalf of the body."
4. The Guidance is available here.
5. See Section 199 (4) "it is a defence for the relevant body to prove that, at the time the fraud offence was committed—(a) the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or (b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.
6. The Guidance uses the term organisation(s) rather than relevant body.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
