Corporate failure to prevent fraud – a new era in UK law

United Kingdom

Corporate Criminal Liability

It used to be that company law and criminal law had very little to do with each other.  From the nineteenth century onwards, what we might call the “classical” theory of English corporate law held that, although civil liabilities could be incurred on behalf of a company by the company’s agents (such as directors or employees), mere agency was not enough to make a company liable for most crimes which require a specific mental state.

An example is fraud. For a fraud to be committed the perpetrator must possess the mental state of dishonesty. The classical theory says that for this to apply to a company (which, of course, is legally separate from its officers or shareholders) a person who embodies or can be identified as the company at the material time must have the relevant dishonest state of mind. This is sometimes called the test of directing mind and will, or the identity doctrine.

The classical theory made some sense in the case of small, owner-operated companies, which were more prevalent at the turn of the last century. But as economies and companies grew larger and more complex the theory gave rise to a loophole. Large companies, where the central management was distant from day-to-day operations, were very rarely charged with serious crimes in the UK, at least outside of specially-created statutory regimes such as health & safety.

Some in government and law-enforcement dislike this state of affairs. They have gazed in envy at the United States, where (at least in federal law) companies are subject to vicarious criminal liability if their employees commit crimes for the purpose of benefitting the company.

A New Regime

The UK Government has now decided not to replace but at least to supplement the classical theory, for certain crimes and certain companies.

Under draft amendments to the Economic Crime and Corporate Transparency Bill, a company or partnership which meets certain size and turnover criteria would be guilty of an offence if it has “failed to prevent” the criminal conduct of an employee, agent or subsidiary and the intent of the perpetrator is to benefit the company. There will be no need to identify a single person as embodying the company in such a case. The offence will not be committed if the company itself is the actual or intended victim. A link to the current amendments can be found here .

Large Organisations Only

The Government’s aim is to include only what are thought of as “large organisations” in the regime. Large organisations, in this context, are organisations satisfying two of the following criteria:

  • Revenue greater than £36m;
  • Balance Sheet total greater than £18m;
  • Employee total greater than 250.

These tests are to be applied to the financial year in which the offence is alleged to have occurred.  Companies which remain smaller than the above will not be liable and remain subject to the classical rules. Of course, the Government retains the power to alter these criteria in future.

(Some) Economic Crimes Only

The draft legislation focusses on what is termed “economic” crime. It is modelled on a similar offence of failure to prevent bribery created by the Bribery Act of 2010. Among the relevant offences are:

  • Fraud (the various varieties described within the Fraud Act 2006 including obtaining services dishonestly),
  • False-accounting
  • Tax-evasion (“cheating the revenue”)
  • False Statements by Directors
  • Fraudulent Trading.

Other crimes such as insider-dealing, money-laundering or cartel offences are excluded, at least for now.

Defence of Reasonable Procedures

There will be a statutory defence available to a company. The company will not be liable if it can establish that it had in place “reasonable procedures” to prevent the relevant offending. The government has promised to publish guidance on what reasonable procedures might consist of, and that the law will not come into force until that guidance is available.

The nature of what is, or is not, a reasonable procedure, and how one can tell in advance of any criminality occurring, will be impossible to define in the abstract. The burden of proof of reasonableness will be on the defending company. However, like the “failure to prevent tax evasion” offence under Criminal Finances Act 2017, the draft adopts a more generous formulation than the Bribery Act. The Bribery Act specifies “adequate procedures”. This draft specifies “(a) such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place” and even contemplates that it will be possible for a company to prove that “(b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.” 

The guidance is likely to contain several examples and explanations, but also to contain enough disclaimers and caveats to the effect that, ultimately, each case will be fact-dependent and the test of reasonableness will vary according to the risk which each individual company happens to face.

Progress of the Bill

There is more to analyse in the current draft legislation. For example, unlike the Bribery Act or Criminal Finances Act, the safeguard of requiring specific senior law enforcement officers to authorise prosecution seems to have been omitted, and the necessary jurisdictional nexus of offending to the UK is not expressly defined (although there is no restriction of the legislation to UK-registered bodies).

The Bill is currently before the House of Lords and the amendment has been introduced at the Committee Stage. It will be debated and, no doubt, the process of Parliamentary scrutiny will provide more context and perhaps changes to some of the details. But the outlines of the new law are clear and, as a government amendment, it’s right to expect something like this to become law within the next 6-12 months. Its overall principles are likely to have bi-partisan support.

Impact on Companies

We can expect some talk from Ministers to the effect that the new class of offences will not materially add to the regulatory burden on businesses. We would take such reassurances with a grain or two of salt.

Most, if not all, large businesses will need to dedicate some resources to assessing the risk of their being liable for fraud or other similar conduct by their employees or agents in the course of their business. They will need to consider what measures they can sensibly take to prevent this and try to benchmark this against the guidance or other good practice standards. In some cases, the risk-assessment process may reveal problems which call for significant remediation efforts. 

We can also expect some excitable commentary in the other direction, especially from service-providers. It may be suggested that very bad things will soon happen to businesses unless high-powered consultants are engaged immediately to re-work the entire control environment. 

Again, its worth keeping a little salt to hand. It is true that, from a legal point of view, the draft legislation represents a paradigm-shift. It is a further step in the direction of “criminalisation” of corporate governance, which has been a long-term trend since the 1990s. There will be a meaningful increase in the down-side risks of serious misconduct by corporate employees or anyone else representing large companies. The issues of fraud and appropriate compliance and controls are bound to loom larger on the average risk-register.

But perspective is important. We expect that most diligent companies should be able to manage these risks appropriately. We expect there to be a bedding-in period while the guidance is made available and law-enforcement priorities are made clear. Quite a high evidential threshold will be required before prosecutions are brought. We don’t expect an epidemic of prosecutions or investigations – the apparently deliberate softening of the “reasonable procedures” defence compared to that applicable to bribery is an indicator that the Government only expects particularly serious cases to make it to court.

The Government amendments also propose widening the regime of Deferred Prosecution Agreements (under the Crime and Courts Act 2013) to include the “failure to prevent fraud” offence. This will allow prosecutors to resolve corporate cases consensually by means of deferred prosecution agreements, as is the case with bribery. As with bribery, we would expect that, over time, such agreed resolutions will become the norm for affected companies.

The failure to prevent fraud offence will be limited to “commercial organisations” (i.e. corporate bodies such as companies and partnerships). The legal position of individuals, at all levels in a corporate structure, won’t change very much, although, of course, the risk of detection of any personal dishonesty is bound to go up.

As mentioned, these reforms don’t apply to offences not named in the Bill (for example insider dealing or money-laundering offences). There is a residual power for ministers to include other offences of a similar nature by way of future secondary legislation. This too may be controversial among parliamentarians, who dislike the lack of scrutiny of such “Henry VIII” powers as a matter of principle.

So, for the excluded offences, and for smaller companies, the classical theory will survive. Scholars may, in time, start to think about why such a distinction should exist, The Bill suggests an acceptance, at least in principle, that the harshest effects of vicarious liability can be mitigated by the “reasonableness” of a company’s approach to governance. But that is a discussion for another day. 

A version of this article first appeared in Reuters Regulatory Intelligence on 20 April 2023.