Thursday February 8, 2024

Molly Sandquest explores the headline measures and the implications for businesses

Driving down economic crime remains a priority for government – not only to help reduce the damage in terms of reputation, financial loss and psychological consequences to organisations or the public, but also to strengthen confidence in the UK as a reputable, safe and secure place to trade and invest.

However, the threat from economic crime continues to grow. Fraud is one of the largest sources of criminal activity in the UK, accounting for an estimated 41% of all crime experienced by adults in England and Wales. At present, the National Crime Agency (NCA) assesses that over £12 billion of criminal cash is generated annually in the UK.

The Economic Crime and Corporate Transparency Act (ECCTA) is the latest in a series of flagship legislation to help protect the integrity of the UK economy and support legitimate growth and prosperity. It is a transformative, landmark act of Parliament that affects businesses, and their legal advisers will need to take time to understand.

It should not be a sea change in how the largest organisations already approach governance, primarily as a result of the UK Bribery Act and the Corporate Criminal Offence legislation. It does introduce increased risk in the form of potential additional liabilities for fraud.

In this first article of a new series, we look at what the ECCTA contains and what businesses should be aware of.

In our next article, we consider its implications regarding fraud and share our views on ‘reasonable procedures’ as part of the defence for ‘failure to prevent fraud’ offence, which organisations can be prosecuted under since 26 December 2023. Guidance as to what constitutes ‘reasonable procedures’ is expected in Spring 2024.

What are the headline measures?

The ECCTA encompasses powers given to:

• Companies House, to prevent the creation of – and to shut down – fraudulent companies through enhanced information control and verification;
• the police and the NCA, to seize cryptoassets;
• prosecutors, to enhance their ability to hold companies liable for fraudulent activity; and
• judges, to halt the progress of – and mitigate the impact of – strategic lawsuits against public protection (known as SLAPPs).

Drawing from the powers encompassed within the legislation, we explore headline aspects of these in turn below.

Companies House reform

Companies House has received criticism over recent years regarding the registration of fraudulent, sham companies. Reforms in the ECCTA are aimed at helping Companies House to address this by improving: i) the information it has on companies, and the people behind them; and ii) its powers to safeguard and interrogate the information it holds and receives.

Some of the most important changes here include:

• Enhancing directorial registration requirements so that new and existing registered company directors need to verify their identity with Companies House. This includes tightening up who has the ability to file information at Companies House to only those individuals who have been verified by their identification, or certain ‘authorised corporate service providers’;
• New powers for the registrar to check, remove, or decline information passing through the companies register. This aims to ensure accuracy and enhance the integrity of Companies House data;
• Enhancing investigation and enforcement powers, including the ability for Companies House to share information with law enforcement, regulatory bodies, and other public authorities;
• Updating the restrictions on what can be put in company names – for example, excluding names that could imply association with a foreign government; and
• Requiring all companies to have an email address and an ‘appropriate address’, being one where documents can be delivered and received by someone acting for the company.

Overall, these changes are likely to deliver more robust Companies House procedures. However, businesses may need to make changes to their own processes to comply – whether that’s how they submit information and what information they have to hand, or how they respond to challenges from Companies House. It is worth reviewing how they operate now to ensure that they are prepared to comply.

The power to seize cryptoassets

Recognising the rise of cryptoassets in economic crime, the ECCTA amends the Proceeds of Crime Act 2002, the Anti-terrorism, Crime and Security Act 2001 and the Terrorism Act 2000 to make it easier for law enforcement to “effectively investigate, seize, and recover the proceeds of crime within the cryptoasset ecosystem”, through both criminal and civil regimes.

Measures include enabling:

• Law enforcement to search for and seize cryptoassets before they make an arrest;
• Cryptoassets to be treated in a similar way to money and personal property, such as being transferring assets into law enforcement-controlled wallets;
• Courts to authorise the sale of cryptoassets; and
• Law enforcement to convert assets into cash pending the outcome of a forfeiture hearing to mitigate significant volatility in value.

These new measures have the potential to help accelerate enforcement measures – or at least prevent delays; provide new certainty across the corporate ecosystem as to how cryptoassets are likely to be treated, and ultimately provide victims of crime with a greater chance of recovering property or proceeds.

Corporate criminal liability

Perhaps one of the most significant and widely discussed changes is the introduction of the new offence of ‘failure to prevent fraud’.

Under this new offence, an organisation will be liable where fraud is committed by an employee for the benefit of an organisation, and the organisation does not have ‘reasonable’ fraud prevention procedures in place. Crucially, the leadership of the company does not have to have ordered, or even to have known about, the fraud for it to be held liable.

The failure to prevent (FTP) offence – that a company is liable if it failed to have adequate prevention measures in place – is not new. It was first introduced under the UK Bribery Act in 2010, and subsequently applied to tax evasion in the UK Criminal Finances Act 2017 (UK CFA).

At its heart, this model is designed to foster greater corporate responsibility.

If a company can be on the hook for events it did not actively instigate or know about, but simply because it did not prepare for such events, there is a heightened onus on it to strengthen its systems designed to detect and prevent fraudulent activity.

Unlike FTP instances in the UK Bribery Act and UK CFA, this new FTP model currently only applies to large ‘corporate bodies’, including non-profit and large incorporated public bodies.

The definition of ‘large’ mirrors the definition set out in the Companies Act 2006. An organisation must meet two or more of the following criteria:

• More than 250 employees;
• Generating more than £36 million in net turnover; and/or
• Holding more than £18 million in net assets.

Get it wrong, and the penalties can be significant. Under the failure to prevent fraud offence, corporate bodies can be subject to an unlimited fine. And the reach is far: organisations based overseas can be prosecuted if an employee of the organisation commits fraud under UK law or targets UK victims.

While we know this much so far, what we don’t know is what will be deemed to be ‘reasonable’ fraud prevention measures. The government has promised guidance, expected in Spring 2024, but this is yet to be published. In the next article in this series, we will discuss our views on the guidance and what businesses should be doing to plan for this and bolster their existing fraud risk strategies, policies and procedures.

Expanding the ‘identification doctrine’

Historically, it has been very difficult to attribute criminal liability to corporates. This was because prosecutors would have to – through the ‘identification doctrine’ – attribute the commission of an offence to a ‘natural person’, who could be held as the ‘directing mind and will’ at the time of the offence; in effect to identify them.

Complex corporate structures, which might see the most senior management practically removed from day-to-day decisions, made it challenging to establish the ‘directing mind and will’ in practice, particularly for harm that may have been caused or have occurred at a lower point in the management chain, or in part of the business that was more detached.

The ECCTA replaces this with a different approach which draws on the ‘senior manager test’ from the Corporate Manslaughter and Corporate Homicide Act 2007, although there are differences in the way the concept applies. In simple terms, this has the effect of significantly expanding the pool of individuals whose actions can be ‘linked’ to those of the organisation. Criminal liability can be attributed to a corporate if one of those senior managers commits a relevant offence, acting within the scope of their authority.

Just as with the new FTP offence, this does not mean that senior managers have new or different responsibilities under law. However, the increased risk of corporate prosecution may result in more internal burdens to bear as the organisation increases its risk management.

Taking action on SLAPPs

A final area covered by the ECCTA is in respect of measures designed to help tackle what are known as strategic lawsuits against public participation (SLAPPs). As the government describes, these are lawsuits that are brought against individuals or companies with the purpose of harassing or overwhelming them – perceived as an improper use of the UK’s legal system. They are often used to silence criticism as the costs of defending the lawsuit can be significant.

The ECCTA will give defendants a new ‘early dismissal’ mechanism, helping halt instances of SLAPPs before they gain momentum.

There is also a new cost protection regime, which should alleviate the cost burden of being on the receiving end of this action if it does proceed – ultimately helping make SLAPPs less effective as an offensive legal ‘weapon’.

The road ahead

This is intended to be a crackdown on economic crime. For businesses, it is a call to action to better manage the risk of fraud in their organisations.

As always, prevention is better than the cure. Looking ahead, organisations should be reviewing their governance and control procedures to ensure they are proactively identifying and mitigating key risk areas.

Only the largest organisations are currently subject to the new FTP fraud offence. However, it could be that, over time, smaller organisations are brought into scope. And, even if they are not compelled by law, the larger customers, partners or suppliers of smaller businesses may require them to adopt similar internal prevention measures as a form of ‘best practice’ in order to further manage their own risks.

Ahead of receiving guidance from the government, management teams in all industries should be reviewing what this means for them, taking proactive steps and seeking expert advice and support where necessary.