Fail to prevent, prepare to fail

Assuming it makes it onto the statute book, the Economic Crime and Corporate Transparency Bill 2022-2023 (the Bill) is set to be one of the biggest changes to laws tackling economic crime in over a decade. Businesses faced with issues of fraud and false accounting would do well to keep an eye on its progress and start planning now for its entry into force.

It is making its way through Parliament and is currently at committee stage in the House of Lords. It could receive royal assent later in 2023 and come into force by 2024.

One of a raft of proposed reforms is a new criminal offence for large corporate bodies for the failure to prevent fraud and false accounting. That is set to be a significant expansion to the suite of economic crime offences.

The Bill

The Bill is part of wider UK legislative reforms to tackle fraud, money laundering and corruption, with a particular focus on corporate bodies. The government says it is ‘committed to bring forward this further bill to deliver a suite of wider-ranging reforms to tackle economic crime and improve transparency over corporate entities’.

It follows the Economic Crime (Transparency and Enforcement) Act 2022. That Act was in response to Russia’s invasion of Ukraine and assisted the UK government with the imposition of sanctions, created the Register of Overseas Entities, and sought to strengthen the unexplained wealth order regime. The government has also recently published its Economic Crime Plan 2 (2023-2026) which sets out the government’s strategy for tackling economic crime.

The Bill seeks to introduce a number of reforms to assist with the prevention
and detection of economic crime. As well as the failure to prevent offences, the proposals include Companies House reforms, increased transparency for limited partnerships, strengthening the powers of the Solicitors Regulatory Authority and the Law Society, and expanding the Serious Fraud Office’s pre-investigation powers.

There has been significant parliamentary debate about the Bill, including with regards to the scope, formulation, and application of the offences, and how it interacts with existing laws tackling economic crime. However, it gives a clear indication of the government’s direction in tackling corporate criminal liability in the context of economic crime.

Failure to prevent fraud offence

The government has indicated that a new failure to prevent fraud and false accounting offence will form part of the Bill.

Based on recently proposed amendments, the Bill would encompass the following:

• The offence will only apply to large corporate bodies who meet two out of three of the following criteria: more than 250 employees, more than £36m turnover, and more than £18m in total assets. This includes large corporate bodies, partnerships, not-for-profits and incorporated public bodies. Small and medium-sized enterprises are, therefore, exempt.
• A commercial organisation captured by the legislation is guilty of an offence where a person associated with that organisation commits (or aids and abets) fraud or false accounting for the benefit of that organisation, and the organisation fails to prevent the offence. These proposed offences are similar to that found in the Bribery Act 2010 (BA 2010), a now tried and tested offence where a company may be guilty of a crime for failing to prevent bribery by someone associated with the company. The proposed offence will cover a wide range of fraudulent conduct including: false representation, failing to disclose information, abuse of position, obtaining services dishonestly, participation in fraudulent business activity, false statements by company directors, fraudulent trading, and cheating the public revenue. It will not, however, cover money laundering offences which have been removed from the proposals and will be captured by the existing law.
• It will apply to entities doing business in the UK and those working for it. A commercial organisation captured by the legislation is likely to be a body based or doing business in the UK and a person associated with the commercial organisation is likely to be construed widely to include employees, agents and subsidiaries. That means foreign corporates could be prosecuted if one of its employees or associates commits fraud under UK law or targets UK-based victims.
• Large organisations will have a defence if they can prove at the relevant time that they had in place ‘reasonable’ procedures in all the circumstances designed to prevent fraud and false accounting offences. Again, this is based on the ‘adequate’ procedures defence available to the equivalent ‘failure to prevent’ offence in BA 2010. The government’s intention is that ‘reasonable’ rather than ‘adequate’ procedures will reduce the burden on businesses and be easier to comply with. The offence will not come into force until the government has published guidance about what ‘reasonable’ procedures means.
• It would further increase the scope of criminal offences which can be committed by a company which do not require application of the identification principle. Currently for a company to be liable for most offences, prosecutors have to show that a directing mind and will of the company intended to commit the offence. Failure to prevent offences mean that prosecutors only have to show a lack of reasonable procedures in place to prevent the offences—there is no need to identify a particular individual or individuals who intended not to put in place reasonable procedures designed to prevent the fraud, false accounting or money laundering.
• If convicted, an organisation may be liable for an unlimited fine.

There have been a number of changes to the proposed scope of the offence already. So, the full impact of this new law is not yet clear. But, it seems that a failure to prevent offence in some form will become law and that will further change the landscape for commercial organisations as regards economic crime.

Preparation

New failure to prevent offences would make it easier to prosecute large corporate bodies doing business in the UK which do not have reasonable procedures in place to prevent fraud and other offences within its organisation. The Bill therefore represents more work for compliance and legal teams within corporates. Managing risk is, or should be, a top priority for all commercial organisations. It would be sensible for large corporate bodies from all sectors to start preparing for these changes now.

Some ways in which corporate bodies can prepare include the following:

Assessing & managing risk

• Corporate bodies in all sectors should consider the risk to their organisation of fraudulent and false accounting activity. This is a potential risk to all businesses, but obviously some sectors are more exposed than others. Previous government amendments specifically listed certain types of businesses likely to be captured by the new law, including credit and financial institutions, professional services firms, casinos, cryptoasset exchanges and custodian wallet providers.
• Consider if the organisation falls within the definition of large corporate body or whether it might do in the future, and keep this under review.
• From a commercial perspective, the level of fine (which could be unlimited) should be factored into the risk assessment. The court will take account of all the circumstances when determining the level of fine. Corporates should therefore assess the scope of the corporate’s regulatory obligations—not just the failure to prevent fraud offence. For example, is the business regulated, where does it operate and what laws apply, and who can investigate the business? Can the corporate show that it has an overall plan to tackle economic crime within its organisation and that it is committed throughout all levels of the organisation to combat economic crime?
• Consider whether the organisation has the internal resources to assess, prevent, detect, and respond to fraud. If it does not, is there scope for new roles within the organisation, or would it be appropriate to appoint an external adviser to help with this?

Fraud prevention measures

• Putting in place fraud prevention measures.
• Corporate bodies should consider compliance training for staff and review any relevant policies, procedures, and protocols aimed at bribery, corruption, and crime—do these adequately address wider forms of economic crime?
• Look out for the government’s guidance on what constitutes ‘reasonable’ prevention measures. When that becomes available, compare that to the organisation’s current procedures and assess if any changes are necessary.
• The government says that there will be circumstances where it is reasonable to have no fraud prevention measures where the risk is extremely low within that organisation. However, it is difficult to think of an example of a large corporate body which faces such low risk. So, it seems sensible for all large corporate bodies to start planning now.

Fraud detection measures

• Putting in place fraud detection measures.
• Corporate bodies should consider if they have appropriate anti-fraud controls and reporting mechanisms in place. The government’s intention is that the new offence will drive cultural change within organisations and prevent them being able to look the other way if an offence is uncovered. With that in mind, corporates should review, in particular, their internal reporting and whistleblower policies.
• Consider appointing a compliance officer (if it does not already have one).

Response strategy

• Preparing (and testing) a response plan/strategy if fraudulent activity is identified within the commercial organisation. That should include considering:
  
  • Who is on the internal team to deal with such matters—it is often necessary to limit those involved. Does the corporate need to inform the board, its lawyers, and/or any regulatory body?
  • Setting out a protocol and the parameters for internal investigations.
  • Document retention and preservation. Corporates should have a procedure for preserving, protecting and not destroying any documents which may be relevant to the investigation. This will likely include working with the corporate’s IT team or the relevant outsourced team to understand where and how data is stored, and how it can be protected.
  • Appointing a team of external advisers who can assist. This may include legal, PR, IT and/or crisis management advisers.

This article first appeared on the New Law Journal and is reproduced with the kind permission of the publishers.