Economic Crime and Corporate Transparency Act 2023

Economic Crime and Corporate Transparency Act 2023

| By Ashwin Nandakumar | Category: Opinion

Background

Last October, the UK government passed the Economic Crime and Corporate Transparency Act, aimed at enhancing measures against economic crime and improving corporate transparency. The recent introduction of “Failure to Prevent Fraud” is being seen as a significant feature of the Act.

The guidance proposes to impose liability on targeted corporations if they do not have adequate fraud prevention measures in place, allowing for prosecution even if senior management was unaware of the fraudulent activities.

It is hoped that this addition would make it easier to hold organizations accountable for frauds committed by employees or other associated persons, thus encouraging them to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

Applicability

The guidance applies specifically to large organizations, defined as those meeting at least two of the following criteria:

  • More than 250 employees
  • Turnover exceeding £36 million or
  • ‘A balance sheet total over £18 million.

“Large organization” includes incorporated bodies, subsidiaries, partnerships, and large not-for- profit organizations (like charities) if they are incorporated.

Liability

An organization could be held criminally liable if an associated person commits fraud intending to benefit the organization and the organization lacks reasonable fraud prevention procedures.

Associated persons are defined broadly to include:

  • Employees: Individuals employed by the organization.
  • Agents: Those acting on behalf of the organization.
  • Subsidiaries: Any subsidiary companies, regardless of their size.

These principles are intended to be flexible and outcome-focused, allowing for the huge variety of circumstances that relevant bodies find themselves in.

Types of Fraud Covered

The offense encompasses various specific fraud offenses, including:

  • Fraud by false representation
  • Failing to disclose information
  • Abuse of position
  • Participation in false businesses
  • False accounting
  • Fraudulent trading

Others: This includes any person who performs services for or on behalf of the organization, such as:

  • Advertisers hired by the company
  • Brokers and sales agents
  • Professional advisers

This definition marks a significant shift from previous legislation, such as the Bribery Act 2010, where the status of subsidiaries as associated persons required more detailed analysis regarding whether they were performing services on behalf of their parent company. Under the new Act, employees, agents, and subsidiaries are automatically classified as associated persons, simplifying the attribution of liability to organizations for fraud committed by these individuals.

Role of subsidiaries

Subsidiaries are classified as associated persons of their parent companies. This means that if a subsidiary commits fraud, the parent organization can be held liable for failing to prevent that fraud, provided the fraud was intended to benefit the parent or its clients.

Fraud Committed by Subsidiaries: If an employee of a subsidiary commits fraud with the intention of benefiting that subsidiary, the subsidiary itself can be prosecuted for the offense, even if it is not classified as a large organization. This allows for direct accountability at the subsidiary level.

Parent Company Liability: Conversely, if a subsidiary’s employee commits fraud intending to benefit the parent company, then the parent company can be prosecuted under this offense. This dual liability structure ensures that both subsidiaries and parent organizations are held accountable depending on the circumstances of the fraud.

If a UK-based employee commits fraud, the employing organization could be prosecuted, wherever it is based.

If an employee or associated person of an overseas-based organization commits fraud in the UK or targets victims in the UK, the organization could be prosecuted.

The offense does not apply to UK organizations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.

Key considerations & principles for developing reasonable fraud prevention procedures

Adoption of Risk-Based Approach

Organizations must demonstrate that they had reasonable procedures in place at the time of any fraudulent activity. The concept of “reasonable” is not strictly defined, allowing flexibility for organizations to tailor their measures based on their specific circumstances and risks.

Key Principles

The guidance sets out six principles that organizations should follow to establish effective fraud prevention frameworks:

  1. Top Level Commitment:
    • Leadership (board of directors, partners, and senior management) commitment to preventing fraud
    • Designated leadership role in relation to fraud prevention along with direct access to the CEO/board
    • Communication and endorsement of the organization’s stance on preventing fraud
    • Naming the key individuals and/or departments involved in fraud prevention
    • Articulation of consequences for those associated with breach of policies
    • Clear governance on fraud monitoring, including but not limited to
    • Scanning for new fraud risks, approving the assessment of risk
    • developing and implementing optimal fraud detection, testing & prevention measures
    • Ensuring that appropriate management information is disseminated
    • Developing and implementing disciplinary measures
    • Robust whistleblower mechanism
    • Commitment to training and resourcing
  2. Risk Assessment:
    • Organizations should conduct thorough assessments of potential fraud risks—assess the nature and extent of their exposure to the risk of employees, agents, and other associated persons committing fraud in the scope of the offense.
    • The risk assessment must be dynamic, documented, and kept under regular review.
    • Must identify typologies of associated persons. And construct typologies based on opportunity, motive, and rationalization.
    • Leverage a broad range of sources—analytics, previous audits, sector-specific information, and enforcement actions.
  3. Proportionate Risk-Based Prevention Procedures:Implement procedures that are appropriate to the level of risk identified.
    • An organization’s procedures to prevent fraud must be proportionate to the fraud risks it faces and to the nature, scale, and complexity of the organization’s activities. They must also be clear, practical, accessible, effectively implemented, and enforced.
    • Illustrative risk factors to consider
    • Does the organization undertake pre-employment and vetting checks? For high-risk roles, does it carry out ongoing vetting checks?
    • Do those in high-risk roles receive regular anti-fraud training, and how vigorously is compliance with training evaluated?
    • Does the organization assess emerging risks systematically?
    • If new services or associated persons present a potential fraud risk, is a fraud impact assessment made?
    • Are fraud risks managed equally well throughout vulnerable processes such as procurement?
    • Do procedures for avoiding conflicts of interest need to be bolstered?
    • best practice on reducing fraud risks in the sector?
  4. Due Diligence:Conduct due diligence on employees and associates to mitigate risks.
    • Taking a proportionate and risk-based approach in respect of persons who perform or will perform services for or on behalf of the organization in order to mitigate identified fraud risks.
    • Those with exposure to the greatest risk may choose to clearly articulate their due diligence procedures specifically in relation to the corporate offense.
    • Illustrative best practices—using appropriate third-party risk management tools, screening tools, etc.
  5. Communication (including training):Ensure ongoing communication about fraud prevention policies and provide adequate training tailored to specific roles.
    • A clear articulation and endorsement of an organization’s policy
    • Training should be proportionate to the risk faced. Consideration should be given to the specific training needs of those in the highest-risk posts.
    • Training should include ensuring that staff and other associated persons are familiar with whistleblowing policies.
    • Conducting victimization risk assessments and protecting whistleblowers from potential victimization
  6. Ongoing Monitoring and Review:Regularly review and update fraud prevention measures to ensure their effectiveness.
    • Implement measures for detecting frauds against the organization.
    • Need to consider how these can be extended to frauds that might be intended to benefit the organization or its clients.
    • What processes are in place for detecting unauthorized access to data?
    • What analytics are shown to us
    • Relevant organizations are likely to have in place arrangements for investigating attempted frauds against the organization but may need to extend them to cover frauds that are intended to benefit the organization or its clients.
    • Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered, scoped, and legally compliant.

Implementation Timeline

The offense will come into effect on September 1, 2025, providing organizations time to prepare their risk assessments and implement necessary procedures.

This guidance aims to foster a proactive approach among large organizations in preventing fraud and enhancing corporate accountability.

Important note

Departures from suggested procedures within the guidance will not automatically mean that an organization does not have reasonable fraud prevention procedures, as different prevention procedures may also be considered reasonable by a court. Equally, this guidance is not intended to provide a safe harbor: even strict compliance with the guidance will not necessarily amount to having reasonable procedures where the relevant body faces particular risks arising from the unique facts of its own business that have not been addressed.

The onus will remain on the relevant organization, where it seeks to rely on the defense, to prove that it had reasonable prevention procedures in place (or that it was unreasonable to expect it to have such procedures).

These updates reflect a comprehensive effort by the UK government to strengthen legal frameworks against economic crime while enhancing corporate accountability and transparency.