Sign in Subscribe
By Zahn Alimbay in Regulatory Insights

UK’s Economic Crime and Corporate Transparency Act 2023 is here. Now what?

UK’s Economic Crime and Corporate Transparency Act 2023 is here. Now what?

On October 26, 2023, ECCTA 2023 has received a Royal Assent. Heralded as bringing a sweeping reform to the UK economic criminal laws, the new Act aims to both close decades-long loopholes as well as to expand the UK’s corporate liability for economic crimes. The new law makes it easier for enforcement agencies to pursue larger organisations for economic crimes.

Whether the new Act achieves its intended objectives is still to be seen, but it’s definitely the time for businesses and their legal and compliance teams to take a fresh look at the design and operation of their compliance and fraud prevention programs, now through an expanded lens.

What’s new?

The Act introduced several changes aiming to improve the transparency over corporate entities in the areas of identity verification for directors, persons with significant control and limited liability partnerships, companies filing and record-keeping requirements, restrictions on the use of corporate directors, and gave new powers to Companies House, among others. Many of the changes will require secondary legislation and implementation guidance.  

Other significant innovations concern the expansion of corporate liability for economic crimes – the introduction of a new “failure to prevent fraud” offence and reform of the UK’s identification doctrine.

The Act similarly expands the scope of information sharing between businesses, including those in the financial sector, to prevent, investigate and detect economic crime, measures to strengthen the anti-money laundering and counter-terrorist financing framework, and gave expanded powers to the UK’s Serious Fraud Office and National Crime Agency.

In this newsletter edition, I want to focus on a new corporate criminal offence of failure to prevent fraud and its implications for businesses.  

What do we need to know about the new “Failure to prevent fraud” offence?

The new “failure to prevent fraud” offence is built based on the Section 7 “Failure to Prevent Bribery” offence introduced in the UK Bribery Act 2010, albeit with some significant differences.

Under the Act, a larger business can be found criminally liable should it fail to prevent fraud committed by an associated person when such fraudulent conduct is intended to benefit the organisation or its clients. The only defence would be that organisations have “reasonable procedures” in place to prevent fraud.  NB: Corporate criminal liability will not be triggered when the organisation itself is the victim of the offence.

Large organisation. For the organisation to be caught, two of the three criteria need to be satisfied: (i) more than 250 employees, (ii) more than £36M turnover, and (iii) more than £ 18M in total assets. It will also have the potential to catch a parent company if the group meets this criteria in aggregate. This is one of the differences compared to the Section 7 Offence under the UKBA 2010, which applies to organisations of any size.

Relevant Offence. The offence captures a broad range of fraudulent conduct and includes a wide variety of fraud conduct, including false accounting, tax, fraud and bribery offences. Considering that the Act makes it easier for investigation agencies to pursue larger companies for economic crime, it will not be surprising that they will rely more on the ECCTA 2023 than on the UKBA 2010 in the future. We know this from how the US enforcement agencies approach foreign corruption resolutions.

Associated person. The Act adopts the expanded definition of associated person. Notably, organisation employees, subsidiaries and their employees are now also defined as Associated persons. This is broader than the definition adopted under the UKBA 2010 and raises the risk for parent companies to be labile for failure to prevent fraud perpetrated by subsidiaries and their employees.  

Extra-territorial effect. As with most underlying fraud offences, the “failure to prevent fraud” offence is given an extra-territorial effect. Non-UK businesses with UK operations appear to be firmly within the scope of the new offence.

Senior Managers. The Act has expanded the application of the “identification principle” – the test determining whether individual criminal conduct can be attributed to a company. Now, it covers the actions of senior managers in addition to those individuals who “direct mind and will” of the company. This will significantly ease the prosecution’s burden to prove the intentional misconduct in larger and more complex organisations (one of the reasons why it is much harder to prosecute corporate wrongdoing).

Reasonable procedures. While the Government is still to publish reasonable procedures guidance, we can expect those to align with the “six principles” of adequate procedures model introduced under the UKBA 2010.   

What do businesses need to do to prepare?

While the Government is not expected to publish its guidance on reasonable procedures before Spring 2024, there are steps that companies need to start taking now.

To implement compliance requirements of the Act, the Government’s own Impact Assessment indicates that larger organisations will require a core team of four to five personnel working full time managed by a project director devoting 20% of their time to the project. For smaller companies, it indicates a one full-time resource. It is clear that the Government expects businesses to take their compliance obligations seriously.

Where to start?

Review and, if needed, adjust the scope of risk assessment.

Fraud management program – How does it reflect the “six principles” of adequate procedures?

  • Top-level commitment to preventing fraud.
  • Fraud risk assessment. Ensure that internal controls are proportionate to the risk level, with higher levels of scrutiny applied to higher-risk transactions and business activities.
  • Policies and procedures are in place and updated to include additional compliance obligations. Moreover, consider how those procedures cascaded down to subsidiaries, applied by them, and employees made aware of their obligations to comply.
  • Internal controls (financial, operational and commercial) are proactive and effective in detecting and preventing fraudulent activities.
  • Due diligence and ongoing monitoring of third-party relationships. Standards of conduct for business associates cascaded through contracts, and contractual remedies for breach are available. Ongoing operational monitoring to include fraud detection and red flags identification.
  • Awareness and communication for all employees and targeted risk-based training for senior managers and high-risk employee groups. Identify individuals who fall within the category of “senior managers” and ensure relevant personnel are aware of their obligations and know how to spot fraud and report concerns for further investigation and response.
  • Focus on building a Culture of Integrity that does not tolerate fraud or any form of corporate misconduct.
  • Controls Performance Monitoring and risk-based auditing are in place and tailored to the risk level and business specifics. Using data analytics and AI/ML tools for fraud detection allows organisations to increase program and internal controls effectiveness and is a “must have” in this day and age.
  • Speak Up channels and allegation investigation management. Does your organisation conduct a thorough root-cause analysis to identify systematic weaknesses to prevent re-occurrence?  

Group compliance monitoring and reporting: With subsidiary management in the spotlight, every organisation needs to have a clear visibility of what is happening at the subsidiary level, their specific risks, types of issues and what processes and controls they have in place to detect and effectively respond to compliance incidents. Fraud prevention self-assessment is a good starting point.

Fraud management program and operation of internal controls are monitored, periodically reviewed for effectiveness and evaluated for adequacy and continuous improvement.

If you would like to have a further discussion on any of the above, please get in touch. We are here to help!

 

We will be back in two weeks!

Comhla Intelligent Compliance

At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. We leverage cutting-edge applied research in behavioural science, actionable data insights, compliance, internal controls and regulatory expertise to help our clients identify and target conduct risks before misconduct occurs. We believe that each organisation should be proactive about maintaining business integrity. By going the extra mile to provide evidence-backed solutions tailored to our customer's unique needs, we enable them to maximise Compliance ROI while increasing the effectiveness and impact of the prevention strategies.

 Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic 

Learn More https://comhla.co

We aim to publish once a fortnight.  The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.

Subscribe to Breaking the Mould

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe