ECCTA: a new era for corporate oversight and anti-fraud measures

March 2025  |  TALKINGPOINT | FRAUD & CORRUPTION

Financier Worldwide Magazine

March 2025 Issue

FW discusses ECCTA in a new era for corporate oversight and anti-fraud measures with Simon Airey, James Dobias and William Merry at McDermott Will & Emery UK LLP.

FW: With the Economic Crime & Corporate Transparency Act 2023 (ECCTA) substantially increasing criminal liability for companies in the UK and abroad, could you outline the reasons behind the UK government’s introduction of these provisions and the scope of the new law?

Airey: Fraud is by far the most prevalent crime in the UK, accounting for 40 percent of all offences in England and Wales. And yet, companies are very rarely prosecuted for fraud and other financial crimes due to quirks in English law. The Serious Fraud Office, for example, has experienced severe frustration in its ability to prosecute corporates. These difficulties came to a head in 2018, when a senior judge decided that the alleged acts of the most senior executives in a major bank – if proven – could not be attributed to the bank through the operation of the ‘identification principle’ in English law. The result was, even though the chief executive and chief financial officer of the bank were at the centre of an alleged conspiracy to make illegal payments of over £300m, their actions could not have led to criminal liability for the bank. This was because, the court held, they were not acting within the scope of their authority as directors of the bank and so could not have been acting as the bank’s ‘directing mind and will’. The Economic Crime & Corporate Transparency Act’s (ECCTA’s) reforms were largely the result of intense lobbying by prosecutors and lawmakers who were very frustrated at the difficulty of holding companies to account. Prior to ECCTA, the circumstances in which a company could be held liable for the financial crimes of its personnel were very limited – effectively, where board members were directly involved in the wrongdoing, while acting within the scope of their authority. An additional difficulty was finding evidence to implicate board members in large companies, for the simple fact that it was more junior employees who were involved in the relevant conduct. The reforms in ECCTA mount a two-pronged attack against the perceived difficulties with the previous law. First, section 196 of ECCTA drastically expanded the pool of people whose wrongdoing could be attributed to a company. Now, if a ‘senior manager’ of a company commits a relevant offence – be it fraud, false accounting, bribery or breaches of sanctions laws – the company also commits that offence. The statutory definition of ‘senior manager’ extends to a much wider cohort of persons in a company than just its board of directors. This new regime, the Senior Managers Regime, came into force on 26 December 2023. Second, section 199 of ECCTA introduces a new corporate offence of ‘failing to prevent fraud’ (FTPF offence). Under this provision, which comes into force on 1 September 2025, organisations over a certain size are criminally liable when someone ‘associated’ with them – an employee, agent or subsidiary – commits a relevant offence while intending to benefit the organisation or one of its customers. This new offence follows in the footsteps of other corporate ‘failure to prevent’ offences, such as those under the UK Bribery Act 2010 (UKBA) and the Criminal Finances Act 2017 (CFA), where it is a defence to show that appropriate procedures were in place that had been designed to prevent the relevant conduct.

It seems perverse that small companies are excluded from the scope of the FTPF offence. After all, small companies are just as capable of being involved in criminal offending as large ones.
— William Merry

FW: What additional compliance obligations does the new ECCTA regime place on companies operating in or through the UK? How do the provisions compare to similar legislation such as the Bribery Act 2010 (UKBA) and the Criminal Finances Act 2017 (CFA)?

Dobias: The FTPF offence does not impose a legal obligation upon companies to implement appropriate anti-fraud procedures. However, where a person associated with a company commits a relevant fraud offence, ECCTA affords a full defence to companies that can show that they had ‘reasonable prevention procedures’ in place to prevent the relevant fraud from occurring or that it was reasonable in the circumstances not to have such procedures in place. The UK government guidance as to the meaning of ‘reasonable prevention procedures’ was published in November 2024. As anticipated, it follows many of the same themes as the equivalent guidance under the UKBA and the CFA. For example, it stresses the importance of conducting a detailed risk assessment in relation to the specific fraud risks it faces, according to where, how and with whom it does business – noting that it will rarely be acceptable for companies not to have conducted one. Likewise, the Senior Managers Regime does not impose positive obligations for companies to do anything, per se – however, there is no ‘reasonable procedures’ defence to offences within the scope of the Senior Managers Regime, as opposed to the FTPF offence. Instead, the company will essentially need to prove that the relevant offence did not take place. Accordingly, the best way for companies to mitigate risks posed by the Senior Managers Regime is to prevent the conduct occurring in the first place. Companies should identify potential ‘senior managers’ according to the legal definition and make sure they are trained on the new law and related risks. A robust compliance programme could also deter authorities from prosecuting companies for wrongdoing by senior managers on the basis that a prosecution of the company would not be in the public interest. Alternatively, the existence of such a programme may reduce the penalty upon conviction.

FW: Will these provisions make the UK a less attractive place to do business?

Merry: On the contrary, there are myriad risks that a company can face when its counterparties, such as suppliers, agents, intermediaries or joint venture partners, are non-compliant with UK laws. Aside from the risks of a company being embroiled in a criminal investigation focused on one of its counterparties – such as by being a witness or even investigated and indicted as a conspirator – the consequences of a counterparty being investigated or prosecuted can be ruinous. For example, it could impact the counterparty’s ability to perform its obligations under contracts and damage the reputations of those with whom they do business. Further, counterparties with robust anti-fraud policies are, as a consequence, less likely to defraud those with whom they do business. Accordingly, we consider that ECCTA is part of a framework of laws that help to make the UK a safer place to do business. Separately, smaller companies can take comfort in the fact that the FTPF offence does not apply to them. As a result, they can avoid the financial burden associated with conducting a risk assessment and implementing appropriate prevention procedures, although they may nevertheless benefit from doing so.

The Senior Managers Regime does not impose positive obligations for companies to do anything, per se – however, there is no ‘reasonable procedures’ defence to offences within the scope of the Senior Managers Regime, as opposed to the FTPF offence.
— James Dobias

FW: Given that the FTPF offence under ECCTA means that companies can be held accountable for fraudulent activities conducted by their ‘associates’, what measures do companies need to implement before the offence comes into effect on 1 September 2025?

Airey: Importantly, the FTPF offence only applies to ‘large organisations’, being those that meet at least two of the following criteria across their corporate group in the year proceeding the relevant offence – turnover of £36m per annum, £18m in assets on their balance sheet, or over 250 employees. Companies that do not meet at least two of those thresholds across their business – also taking into account the businesses of any subsidiaries – cannot commit the FTPF offence. Companies that are subject to the FTPF offence should take steps in order to give them the best possible chance of being able to avail themselves of the ‘reasonable prevention procedures’ defence. In doing so, they should consider carefully the UK government guidance on ‘reasonable prevention procedures’, which is based on six core principles. First, top level commitment, whereby the board and senior management of a company demonstrate a commitment to preventing fraud. Second, risk assessment, whereby large organisations must conduct a robust assessment of the fraud risks present in their businesses, by reference to the various offences within the scope of the FTPF offence. Third, proportionate, risk-based prevention procedures, which involves implementing policies and procedures designed to stop associated persons from committing a fraud offence. Fourth, due diligence, which means ensuring that prospective counterparties are adequately identified so that risks that might be associated with contracting with them can be avoided or mitigated. Fifth, communication, including training, to ensure that staff are educated as to the company’s policies and procedures. And sixth, monitoring and review, which means companies should regularly monitor the performance of their anti-fraud policies and procedures, learning from issues as they arise and updating the anti-fraud policies accordingly. Each of these steps can be complex and burdensome, so companies should not delay in taking advantage of the transitional period until 1 September 2025 when the offence comes into force. This period is intended to allow companies sufficient time to assess relevant risks, and design and implement reasonable procedures.

FW: What penalties can be imposed on companies and persons for a breach of ECCTA? How will the severity of non-compliance be assessed and the proportionality of any penalty be determined?

Dobias: The reforms to ECCTA referred to relate to corporate liability, rather than individual liability, the regime for which remains unchanged. The financial penalties for companies convicted of the FTPF offence and offences relevant to the Senior Managers Regime are generally expressed in legislation to be an ‘unlimited fine’. The actual level of financial penalty to be imposed will be dependent on the relevant guidelines set by the Sentencing Council, which can be a complex exercise. The sentencing guidelines for corporate offenders set out 10 steps for courts to consider, which include the assessment of any compensation to be paid to victims, the confiscation of any profits arising from the offence and a fine. For the most serious offences, the fine could be a figure comprising 400 percent of the level of harm caused by the offending or the benefit obtained. When combined with confiscation and compensation orders, and legal costs, the impact can be huge. A guilty plea could lead to the reduction in penalty by up to one third. If the company is fortunate enough to be offered a deferred prosecution agreement (DPA), further considerations may apply if the company earns full cooperation credit. A range of other negative consequences may arise, such as debarment from public procurements, regulatory investigations, impact on share price, civil litigation, breaches of financial covenants, increased banking and insurance costs, loss of business and major reputational damage.

Provided that UK investigating and prosecuting agencies are adequately resourced, we expect to see companies appearing as defendants in criminal cases with greater regularity in the coming years.
— Simon Airey

FW: Since the FTPF offence only applies to ‘large’ organisations, to what extent might fraudsters evade accountability by exploiting the threshold definitions in ECCTA?

Merry: It seems perverse that small companies are excluded from the scope of the FTPF offence. After all, small companies are just as capable of being involved in criminal offending as large ones. During the passage of ECCTA through parliament, Lord Edward Garnier KC, the former Solicitor General for England & Wales, delivered a passionate but unsuccessful speech in favour of the FTPF offence applying to all companies, arguing, “That is the equivalent of us saying that every burglar over six feet, six inches is liable to be prosecuted, if the evidence and public interest dictate, but every burglar under that height gets off scot free”. However, the assessment of whether a company is a ‘large organisation’ within the meaning of section 199 of ECCTA can take into account the financial position of a company’s wider group. This will help to ensure that companies do not try to evade liability through offending committed by smaller subsidiaries. We would treat with healthy scepticism any argument that fraudsters will be paying close attention to the threshold amounts in ECCTA and adjust their corporate affairs accordingly in order to avoid falling within the scope of the FTPF offence. However, the FTPF offence is strict liability, which makes it much easier for prosecutors to pursue companies. The exclusion of smaller companies from the scope of the FTPF offence may, therefore, act as a dampener on prosecutorial activity. Separately, the Senior Managers Regime applies to all companies irrespective of size, and to which the ‘reasonable procedures’ defence does not apply, so prosecutors will inevitably focus on the role of anyone who might satisfy the definition of a senior manager, irrespective of the size of the company.

FW: How effective do you believe ECCTA is likely to be in practice? How confident are you that the legislation will make it easier to hold organisations to account for the criminal activities of their employees or agents?

Airey: In terms of the FTPF offence, part of its power is that the mere existence of the ‘reasonable prevention procedures’ defence will cause large companies to devise and implement improved fraud compliance programmes. Just as the UKBA’s ‘failure to prevent bribery’ offence helped many companies to identify and mitigate relevant risks, so too will the FTPF offence. To this end, the FTPF offence covers a much wider range of conduct than the offences under the UKBA and CFA. For example, the offence of false accounting under section 17 of the Theft Act 1968 can apply to the falsification or concealment of all kinds of finance-related documentation, such as the backdating of invoices, the padding of timesheets or the incorrect recognition of revenues. The FTPF offence may also be a shot in the arm of prosecutors seeking to agree DPAs with corporates keen to avoid a criminal trial. It may well be more palatable for them to agree a DPA with an indictment containing the FTPF offence, rather than one with substantive fraud offences among the charges. However, the Senior Managers Regime is the real prize for prosecutors who are hungry to tap into the deeper pockets of companies. While there will doubtless be arguments made by corporate defendants that ECCTA still does not allow for criminal liability in their case, it cannot be denied that the substantial expansion of corporate criminal liability under the Senior Managers Regime represents a real sea change in the risk landscape for companies. Provided that UK investigating and prosecuting agencies are adequately resourced, we expect to see companies appearing as defendants in criminal cases with greater regularity in the coming years.

 

Simon Airey focuses his practice on global, cross-border and internal investigations, financial and regulatory crime, bribery and corruption, money laundering, tax and fraud inquiries, data breaches, dawn raids, asset tracing, international enforcement and corporate compliance issues. He serves as co-head of McDermott’s global investigations and compliance practice. He can be contacted on +44 (0)20 7577 3470 or by email: sairey@mwe.com.

James Dobias focuses his practice on a wide range of domestic and international corporate crime and investigations related matters, including bribery, corruption, money laundering, tax evasion, fraud, data breach and associated regulatory and compliance issues. He has experience assisting with and advising on internal investigations, SFO and FCA investigations, enquiries by HMRC, anti-bribery and corruption compliance, whistleblowing, AML issues and fraud investigations. He can be contacted on +44 (0)20 7575 0319 or by email: jdobias@mwe.com.

William Merry focuses his practice on a range of domestic and international corporate crime and investigations-related matters. He has experience in resolving anti-bribery and corruption, anti-money laundering, fraud and sanctions matters in both contentious and non-contentious contexts. He can be contacted on +44 (0)20 0757 7691 or by email: wmerry@mwe.com.

© Financier Worldwide

THE PANELLISTS

Simon Airey

James Dobias

William Merry

McDermott Will & Emery UK LLP

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.