How will the Economic Crime and Corporate Transparency Act and the ‘failure to prevent fraud’ offence work in practice?
Fraud is the most common offence in the UK, consisting of 41% of all reported crimes, with losses surpassing £2 billion in 2023.
The Economic Crime and Corporate Transparency Act (ECCT) received parliamentary approval on 27 October, 2023. The act aims to crack down on fraud and fraudulent behaviour, specifically targeting large organisations, which are defined as those having more than 250 employees, a turnover in excess of £36m and £18m in total assets. About 0.5% of British businesses are in scope. Also included in the act is the corporate offence of failing to prevent fraud.
The concept of ‘failure to prevent’ was introduced into British law with the 2010 UK Bribery Act (UKBA). Its inclusion in the 2017 Criminal Finances Act gestures towards its ongoing incorporation into corporate law making, although in relation to the Criminal Finances Act, it has led to very few prosecutions.
Notably, the ECCT Act has also incorporated an expansion of the identification principle. The definition of the ‘directing mind and will’ has been extended to include senior managers, making it easier for regulators to attribute responsibility and prosecute corporates. Like the UKBA, the failure to prevent fraud offence under the ECCT Act has a broad scope of liability. The parent company may now potentially be liable for a wider scope of fraud committed at subsidiary level and by contractors.
Recognising the multifaceted nature of fraud, the act aims to crackdown on a wide spectrum of fraudulent activities, extending beyond financial fraud. Most importantly, the act is targeting fraudulent behaviour that benefits the corporate. Most anti-fraud work to date has focused on the corporate as a victim of fraud, with a focus on protection of property, stock and company money from theft.
Introduction by Lord Garnier
The overall aim of the act is to improve the culture of British law and business, a sentiment encapsulated in Lord Edward Garnier’s introductory remarks “honest business is good business and good business is honest.” He acknowledged the possibility of regulatory burden but noted that all good business practices entail costs. He additionally stressed the fact that regulators will be looking for reasonable procedures and will not demand perfection. Expectations will be proportionate.
Lord Garnier voiced reservations over the legislation, noting that while it represents an extension of controls targeting economic crime, the confinement of its scope to large organisations poses challenges. He underscored the need for criminal law to be uniformly applicable to all corporates, regardless of size.
Participants were asked to consider whether they felt confident they had reasonable procedures already in place to comply with the act and prevent fraud and fraudulent behaviour, or was there work still to be done? Responses were divided evenly among the attendees. Those with well-established compliance programmes expressed confidence in their ability to demonstrate reasonable procedures that align with the latest conditions.
Additionally, participants from sectors accustomed to intense scrutiny regarding fraud, e.g., financial services, indicated a higher level of familiarity and confidence in responding to the new regulation.
Others, often due to specific factors related to their activities, their industry or their governance structure, were less confident. This was compounded by the uncertainty as to the precise implications of the act, particularly regarding the scope and granularity of the legislation and the lack of published guidance.
Representatives expressing confidence highlighted their reliance on various measures, including risk assessments, financial controls, strong top-level commitment, a robust ethical culture, and the inclusion of contractual clauses with third-party contractors and collaborators.
Why are corporates not yet confident? What are the challenges of measuring up to the new standards imposed by the ECCT legislation?
Managing subsidiaries, third-party agents, contractors, sub-contractors can be difficult. Firms operate within a larger eco-system of suppliers and have elaborate, complex global supply chains. Despite the use of contractual requirements as a lever, ensuring the effective adoption of group-level procedures by third parties often remains a challenge. Many organisations, therefore, are confident in their ability to manage these risks at group level but not always beyond
While concerns have been raised that the ECCT Act only applies to large organisations, it will be in the interests of those organisations to work with suppliers who comply to the same standards, therefore requirements may naturally percolate downwards even if such firms are not explicitly in scope. The example of over-invoicing was raised by one of the participants. While the top company might try to invoice transparently and correctly, if a sub-contractor has fraudulently inflated its invoice, this might get passed on to the end customer inadvertently. Pressure may therefore be applied down the supply chain to avoid such risks.
Some highlighted the added challenge of working across several jurisdictions, particularly in ‘high-risk’ jurisdictions. In higher risk contexts, companies may be required to install additional procedures to manage additional risks. It is not immediately evident what may be considered ‘reasonable’ relative to different risk-contexts.
Another issue raised was the cost of demonstrating that reasonable procedures are in place. An increasing proportion of compliance costs are from demonstrating or proving the robustness of the programme rather than the actual cost of the compliance programme itself. Some suggested that auditors can be overly demanding and not sensitive to commercial realities. As a result, some companies felt unsure as to how to best meet the demands of regulators and auditors. This is clearly an area where best practice is yet to emerge.
For companies operating in cost-sensitive industries, compliance costs can be significant. This potentially creates an un-even playing field for UK plc when competing against non-UK firms. Some countered this, arguing that there is, in fact, a possible competitive advantage in having a stronger compliance programme which satisfies the new requirements. It can bring real reputational gains, enabling companies to mark themselves apart from competitors by stressing their adherence to ethics and strong business values. At this early stage however, it is difficult to ascertain how competitors and customers will react.
Most existing controls around fraud are primarily to prevent theft from the company, rather than preventing fraudulent behaviour by the company e.g., Internal Controls for Financial Reporting (ICFR), Sarbanes-Oxley (SOX) and other financial reporting requirements and legislation. This act, however, will require organisations to think carefully about culture and behaviour to prevent fraudulent conduct by employees, contractors and agents. Given the wide range of fraudulent behaviours, it can be challenging to tailor procedures to capture all potential behaviours and risks. Some recognised the need to risk assess their business against the possible new fraud offences contained in the new act.
What gives organisations grounds for confident compliance with the ECCT?
Those operating in heavily regulated jurisdictions or sectors felt they had fewer adjustments to make. While the increased scope of the act means that most businesses will have something new to review, those confident felt they could rely on their extensive procedures, culture and commitment to respond to auditors and regulators.
Some had already been thinking ahead of the legislation, contemplating what to make of potential fraud risks in their sectors. For example, private equity (PE) firms have been grappling with how to manage risks related to fraud within companies in which they invest. PE firms have been questioning whether or not they are liable for fraudulent activities committed by their firms and how best to manage both the risk and the liability. Another example is ESG and the risk of deception of investors by overstating claims and greenwashing. A more recent example, which has gained prominence in wider social debates, are the risks of fraud related to AI.
Observations from the wider conversation
Overall, the principles underlying the new act are very welcome. Firms are merely uncertain about the material implications and how to respond appropriately. Some felt it was difficult to ascertain what ‘reasonable’ may look like without case law. Moreover, what would be considered ‘material’ fraud is still under speculation.
The expansion of the identification principle and whether the UK is on a trajectory towards the US’s corporate criminal lability system was discussed, noting that such a move would have the support of regulators and prosecutors alike.
The fundamental question which cuts through the debate is whether this act will lead to a change in business culture or whether it will come to be considered as an additional regulatory burden. It is too early to say, but the hopes are that this legislation will be transformative, leading to lasting changes in behaviour.
The GoodCorporation view
GoodCorporation welcomes the act and its goal of improving the standards of behaviour in business. While we share Lord Garnier’s disappointment regarding the legislation’s limited application to all corporates, we hope that this serves as a catalyst for influencing standards broadly, extending its requirements to subsidiaries and suppliers. While the formal guidance will be welcome, we believe businesses adhering to the requirements outlined in the Bribery Act guidance, (adding specific controls relating to fraudulent behaviour), will be well-positioned to satisfy regulators.
Convincing senior leadership of the law’s scope, and focus on fraudulent behaviour, rather than being de-frauded will be important. However, evaluating risks, then developing and testing procedures to ensure that they are in place is the key next step for most organisations. To assist with the development of the systems and procedures needed to comply with the act, GoodCorporation has developed a Framework on Preventing Fraud. The framework covers all relevant functions and helps organisations identify risks and the controls needed to put mitigation measures in place.