The Economic Crime and Corporate Transparency Act is now law

The Economic Crime and Corporate Transparency Act (“ECCTA”) has been granted Royal Assent, closing more than a year of debate about who it should target and how.

The UK Government has sought to clamp down on corporate fraud while keeping red tape to a minimum, but the Act has two particular impacts related to fraud and wider economic crime that should raise blood pressures in UK boardrooms. It broadens the identification principle, significantly increasing the range of employees who can make a business liable for corporate wrongdoing relating to economic crime (for more details refer to my prior blog in July), and it establishes a new “failure to prevent” offence to penalise organisations that have insufficient defences to prevent fraud.

Both these provisions will create additional responsibilities, and a period of uncertainty while observers wait to see how they will be used and enforced, but perhaps the most interesting aspect over the last month is the proposed amendments from the House of Lords that were withdrawn in the final stages.

House of Lords amendments rejected

As set out in my previous blogs, over summer the House of Lords proposed to bring money laundering within scope of the new law. This would have forced a whole range of business outside the regulated sector to take on anti-money laundering responsibilities for the first time. The version that received Royal Assent in October, however, took money laundering off the table. The policy paper accompanying the ECCTA says money laundering offences “are not included because relevant organisations are already required by law to have anti money laundering procedures in place and be regulated by the Financial Conduct Authority”. In this respect, then, companies can breathe a sigh of relief.

The second key debating point between the Commons and Lords over the summer was the exemption for SMEs. The House of Lords had called for it to apply to all but micro-organisations and proposed a lower size threshold but the Commons rejected both proposed amendments, citing concerns about the compliance burden on smaller corporates. The failure to prevent offence will therefore not impact SMEs that fall below the large corporate threshold (as defined by the Companies Act 2006 - that is, organisations meeting at least two out of three of the following criteria: more than 250 employees; more than £36 million turnover; or more than £18 million total assets).

Impact on SMEs

As I set out in prior blogs, I would expect that as the “compliance bar” is raised for large organisations this expectation will trickle down to smaller organisations as a result of their engagement with those in-scope larger businesses, as suppliers and through other types of relationship. Large organisations will wish to ensure that their robust fraud risk management frameworks cover their extended enterprises (including supply chain, agents, joint ventures, etc.).

The Government has said the reforms would level the playing field so that small- and medium-sized businesses were not unfairly penalised compared to large corporates, particularly with regards to the expanded identification principle. It said small businesses faced a higher risk of prosecution under the old identification doctrine because it was easier to demonstrate controlling mind with fewer directors. In larger corporates, however, employee control is more diluted and it is harder to identify a “directing mind and will”. Broadening the definition will make it more difficult for large companies to make use of complex and delegated corporate governance structures to avoid scrutiny.

It should be remembered, however, that smaller enterprises will still be subject to the broadened identification principle (as a reminder: under current legislation, only offences committed by the “directing mind and will” of an organisation can be attributed to that corporate itself. Under the new regime, anyone considered a “senior manager” can make a corporation liable for an economic crime). This may in fact place small organisations in an even more precarious position than larger ones that meet the size threshold for failure to prevent. If authorities want to use the new toolkit to prosecute organisations for economic crime, small organisations – with the failure to prevent offence not applicable to them – will not have a “reasonable procedures” defence to avail themselves of in prosecution.

As a reminder, the new failure to prevent offence will apply when an act of fraud (with a wide scope: offences include fraud by false representation; failing to disclose information; abuse of position; obtaining services dishonestly; participation in a fraudulent business; false statements by directors; false accounting; fraudulent trading; and cheating the public revenue) is perpetrated by an employee or agent of the company; where it was committed for the organisation’s benefit; and where the organisation lacked reasonable fraud prevention procedures. For the reasons I have set out above, all large organisations – and even those below the size threshold – will need to consider where fraud risks that benefit the organisation sit, and review policies and procedures to ensure compliance.

What does “reasonable” look like?

Clearly, the term “reasonable” will be open to a degree of interpretation and it remains to be seen what standards will be required in practice. The failure to prevent offence will only come into force once the Government has published guidance on what it considers reasonable fraud prevention procedures to be. In practice, we expect requirements will take similar form to those previously set out for the Criminal Finances Act and the UK Bribery Act.

However, what is clear is that organisations need to review and refresh their anti-fraud programmes to ensure they are fit for purpose in order to understand, mitigate and monitor the fraud risks to which they are exposed.