Seismic changes to UK corporate criminal liability for companies around the world

February 2025  |  SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2025 Issue

Provisions contained within the Economic Crime & Corporate Transparency Act (ECCTA) 2023 represent the most fundamental change in living memory to the financial crime and compliance framework in the UK. Due to its broad scope and wide extraterritorial reach, ECCTA will have a seismic effect on the risk landscape faced by multinational companies with links to the UK.

In the past, establishing corporate criminal liability (especially on the part of non-UK companies) was very difficult due to the ‘identification principle’ in English law. In effect, a prosecutor had to prove that the board (or people with specific authority delegated to them by the board) were involved in the relevant crime in order for their conduct to be imputed to the company.

The process of circumventing the difficulties presented by the identification principle began with the implementation of the UK Bribery Act 2010 (UKBA), which introduced a corporate offence of failing to prevent bribery, and the UK Criminal Finances Act 2017 (CFA), which introduced a corporate offence of failing to prevent the facilitation of tax evasion. In both cases, the laws have wide extraterritorial effect.

However, ECCTA goes significantly beyond this. First, it introduces liability on the part of companies for the criminal acts of their ‘senior managers’ in relation to a wide range of economic crimes (section 196 of ECCTA). Companies could in the past generally only be liable for the criminal acts of their board members and others with specific authority delegated to them.

This change in the law significantly widens the set of individuals who can expose a company to criminal liability. Unlike the ‘failure to prevent’ offences under the UKBA and the CFA, it is no defence for the company to show that it had appropriate procedures in place that were designed to prevent the wrongdoing. This ‘Senior Manager Regime’ came into force on 26 December 2023.

Second, section 199 of ECCTA introduces a new corporate ‘failure to prevent fraud’ (FTPF) offence. This is similar in design to the other ‘failure to prevent’ offences referred to above. However, given the broader scope and more widespread nature of fraud, the new law will cover a much wider range of conduct. Under the FTPF offence, criminal liability can attach to large companies on a strict liability basis for the frauds committed by their employees, service providers and other ‘associated persons’ (even if senior management was unaware of the conduct). The only defence to the FTPF offence is for the company to show that it had ‘reasonable prevention procedures’ in place to prevent the fraud.

On 6 November 2024, the UK government published official guidance as to the meaning of ‘reasonable prevention procedures’. At the same time, it announced that the FTPF offence will come into force on 1 September 2025.

It is important to note that these offences can also apply to the conduct of individuals and companies based outside of the UK.

The Senior Manager Regime

Until recently, the main way in which a company could be held criminally liable under English law for the acts of its employees was where the employee was acting as the directing mind and will (DMW) of the company. In general, only the board, or those to whom the board had explicitly delegated authority, would be capable of constituting the company’s DMW. This led to difficulties in prosecuting companies, as evidence implicating such individuals was generally hard to find, or it was often more junior employees who engaged in the relevant conduct.

However, since 26 December 2023, it has been possible for companies to be held criminally liable for relevant offences committed by their ‘senior managers’, where they are acting within the actual or apparent scope of their authority. This power is additional to powers that UK prosecutors already have to prosecute individuals for the same offence.

For these purposes: (i) ‘relevant offences’ include a wide range of criminal offences that are relevant to companies, including fraud, bribery, theft, false accounting, money laundering, financial regulatory and tax-related offences (schedule 12 of ECCTA contains the full list of relevant offences); and (ii) ‘senior managers’ are defined as individuals who play a significant role in the making of decisions about how the whole, or a substantial part, of the activities of the company are to be managed or organised, or in the actual managing or organising of the whole, or a substantial part, of the company’s activities.

Importantly, guidance states that senior individuals within non-executive roles (such as legal, finance, human resources or compliance departments) can satisfy the definition of being a senior manager. The test is one of fact, in accordance with the definition in section 196; it is therefore irrelevant what is stated on a person’s business card or contract of employment.

It is important to note that the Senior Manager Regime is distinct from the Senior Manager & Certification Regime (SMCR) administered by the Financial Conduct Authority. While there may be an overlap in an organisation between those who are senior managers under ECCTA and senior managers under the SMCR, the underlying legal tests and resultant responsibilities are different and should be considered separately.

Under ECCTA, a company (wherever incorporated) can be liable for the criminal acts of its senior managers wherever they take place, subject to the jurisdictional reach of the underlying criminal offence.

Importantly, a company can be criminally liable under this provision even where it has implemented reasonable prevention procedures for the purposes of the FTPF offence. However, such procedures are of course vital in reducing the risk of the wrongdoing occurring in the first place (and may be a factor in favour of the courts imposing a lower sentence in the event of conviction under section 196).

FTPF offence

The FTPF offence comes into force on 1 September 2025. In short, it is a crime where a company fails to prevent fraud by its associated persons. The provisions of the legislation only apply to ‘large organisations’, meaning companies meeting any two of the following three criteria across their whole group: over 250 employees, over £18m in total assets or over £36m turnover.

A large organisation will commit an offence where an ‘associate’ of a large organisation commits a fraud offence intending to benefit either that large organisation or someone to whom the associate provides services on behalf of it.

Importantly, a large organisation can commit the FTPF offence even if incorporated outside of the UK. All that is required is that there is a relevant UK link to the fraud (such as UK victims, UK conspirators or where part of the relevant conduct took place in the UK). As a result, by way of example, a Japanese company could be criminally liable in the UK for failing to prevent an employee or service provider in Germany from engaging in a fraud that has an impact in the UK.

For these purposes ‘associate’ means an employee, agent or subsidiary of the organisation, or someone who otherwise performs services for or on behalf of the organisation. This is extremely broad, and can cover the full range of third parties that provide services for or on behalf of a company. ‘Fraud’ includes fraud offences under the UK Fraud Act 2006, false accounting under the UK Theft Act 1968 and the common law offence of cheating the public revenue (schedule 13 of ECCTA contains the full list of fraud offences).

Large companies can commit the FTPF offence even if none of their management are aware of, or involved in, the fraud. However, a company cannot be guilty of an offence if it was the sole victim of the fraud. For these purposes, a company is not a victim simply by virtue of having incurred costs connected with being investigated or prosecuted.

Upon conviction, the court can impose unlimited fines that will be calculated in accordance with the relevant sentencing guidelines.

It is important to note that a full defence exists to a section 199 offence if – but only if – the company has implemented ‘reasonable’ procedures that were designed to prevent the relevant conduct. Official guidance in relation to such procedures was published by the UK government on 6 November 2024.

There are steps that can be taken immediately to ensure that companies are properly prepared for the FTPF offence. However, undertaking associated risk assessments, and designing and implementing appropriate procedures, is a specialist process that is likely to take some time, and obtaining access to experienced advisers is likely to be more difficult the closer it gets to September 2025. Companies should therefore act quickly.

What should companies do now?

There is no ‘one size fits all’ approach for companies to adopt. The measures required to protect a company are dependent on the specific risks faced by the company, including where, how and with whom it does business. Heightened risks are known to exist in certain industries and countries, or when dealing with third parties and joint venture partners in unfamiliar markets.

In relation to the Senior Manager Regime, a simple – but effective – first step would be to ensure that the senior managers across an organisation are identified and, along with their deputies and key team members, provided with enhanced compliance training about the scope of ECCTA. This training should reinforce what behaviours are unacceptable and underscore the importance of complying with applicable laws and company policies.

As regards the FTPF offence, reference should be made to the government guidance as to the meaning and scope of ‘reasonable prevention procedures’ under ECCTA. As with the previous corporate criminal offences under the UKBA and the CFA, the UK government’s guidance published under ECCTA is underpinned by six key principles, as outlined below, that should inform the approach taken by companies to their fraud prevention programmes.

Risk assessments. Companies should assess the nature and extent of the risks of fraud by their associated persons. This requirement is vital as it will help to determine what proportionate policies and procedures will look like in the specific circumstances of a company and those areas where it should focus its attention. To that end, the guidance states that “it will rarely be considered reasonable not to have even conducted a risk assessment” and that risk assessments should be dynamic, documented and reviewed regularly.

Proportionate, risk-based prevention procedures. Policies and procedures should be proportionate to the risks faced by a company and to the nature and complexity of its activities. This means that more robust measures will be required where the risks are higher.

Top level (board) commitment. The senior management of a company must communicate its commitment to rejecting fraud throughout the company and fostering a culture of compliance. ‘Senior management’ is not defined in any detail for this specific purpose, but the guidance published under ECCTA suggests that senior managers under the SMCR may be an appropriate benchmark for regulated firms to use.

Communication and training. It is not enough for a company simply to put into place new policies – they have to be designed and implemented properly, and form part of the fabric of how the company does business. An important aspect of that is ensuring that personnel are trained as to fraud risks and the nature of the company’s policies and procedures (including those relating to whistleblowing).

Due diligence. Companies should undertake proportionate and risk-based due diligence into those persons who perform services for or on their behalf.

Monitoring and review. Policies and procedures relating to fraud detection and prevention must be monitored regularly to ensure that they are fit for purpose and effective. Where areas for improvement are identified, the company should take steps to implement them.

Given the above guiding principles, companies should arrange for senior managers and their key team members to receive appropriate training as to the new risks relating to fraud and other economic crime, and the best practices in mitigating them. This should be done urgently as it would provide an additional layer of protection while a robust risk assessment is being undertaken.

Regulated firms may wish to ensure that those designated as senior managers under the SMCR are included within the pool of employees subjected to this training (even if they might not strictly fall under the senior manager definition under ECCTA). Such training should be refreshed periodically and re-run for new joiners or those who missed it.

Fraud risk assessment

The most important step for dealing with the FTPF offence is to undertake a detailed fraud risk assessment in order to determine the areas of highest risk across the business. The methodology for conducting a safe and reliable risk assessment is crucial. Certain tasks should be undertaken by certain persons, in a particular way and in a particular order. Data and documents need to be gathered, analysed and recorded according to a carefully devised protocol.

When drafting a written risk assessment, it is important to avoid inadvertently creating a disclosable ‘road map’ to key risks, persons and issues in the organisation, or recording issues or making recommendations in a way that unnecessarily highlights issues or weaknesses in the past. What is contained in the risk assessment, and how matters are described, is therefore very important. The risk assessment should be undertaken by experienced lawyers who can gather required information in a privileged context. Fraud risk assessments should also be updated periodically.

Whether or not legal privilege applies or is asserted, it should be assumed that various regulators and other stakeholders may try to obtain access to the risk assessment document – or at least to key findings and recommendations. Alternatively, the company may choose to waive privilege. As a result, the risk assessment (and related work product) must be carefully compiled and drafted. Language must be precise and assessments must be balanced, credible and supportable. Be prepared to manage those with an interest in seeking access to the risk assessment (such as auditors, bankers, insurers, investors, regulators, suitors in M&A transactions and possibly opponents in litigation).

It is also important to remember that parties in the UK ‘regulated sector’ for the purposes of the UK Proceeds of Crime Act 2002 (e.g., auditors, bankers, third party lawyers, etc.) have a duty to report suspected crime to the UK National Crime Agency by way of a suspicious activity report. Failure to do so is a criminal offence.

If issues of particular sensitivity are discovered during the risk assessment process, it may be desirable to ‘quarantine’ them into a separate advisory environment or investigation, so that the issues can be protected by legal privilege and do not taint the risk assessment process. A key objective is to resolve such issues before the process is completed and conclusions are stated in the risk assessment document.

The UK government guidance on ECCTA states that investigations should be “independent, appropriately resourced and scoped (including through legal advice) and legally compliant” and that “useful sources of information include the ‘Global Practitioners Guide to Investigations’”.

All of these considerations impact timing, process and cost. To avoid common pitfalls and ensure that resources are appropriately targeted, companies should give consideration to the methodology for such a sensitive project before work commences.

Conclusion

ECCTA provides UK law enforcement agencies with tools they never had before and the ability to prosecute companies in circumstances where it was not previously possible. By preparing proactively for the impact of ECCTA, companies can better insulate themselves against the potential uncertainties to come, and can even secure a competitive advantage by using strong compliance as a differentiator.

New Year’s resolutions often fall by the wayside after a few weeks. A resolution to address the new risks posed by ECCTA is not one that should be broken. Prosecutors in the UK are very keen to use their new powers; make sure that your company is not the test case that makes their New Year a happy one.

 

Simon Airey is a partner, James Dobias is a counsel and Will Merry is a senior associate at McDermott Will & Emery UK LLP. Mr Airey can be contacted on +44 (0)20 7577 3470 or by email: sairey@mwe.com. Mr Dobias can be contacted on +44 (0)20 7575 0319 or by email: jdobias@mwe.com. Mr Merry can be contacted on +44 (0)20 757 7691 or by email: wmerry@mwe.com.

© Financier Worldwide

BY

Simon Airey, James Dobias and Will Merry

McDermott Will & Emery UK LLP

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.