Proposed further expansion of corporate criminal liability in the UK highlights importance of financial crime risk management

1. How can corporates be liable in the event of criminal conduct by employees?

In addition to facing potential civil claims from investors or other third parties that suffer loss, the ways in which corporates can be criminally liable in connection with the criminal conduct of their staff include:

1. failure to prevent offences such as the new ‘failure to prevent fraud’ offence which comes into force from 1 September this year; and
2. an attribution process by which acts of certain individuals are treated as committed by the corporate entity.

In the case of regulated firms, the underlying conduct could give rise to regulatory enforcement by the FCA / PRA (even if no prosecution were brought) and any criminal conviction would be relevant to the regulator’s assessment of suitability in accordance with the threshold conditions. We set out below further details of how such criminal liability could arise.

Failure to prevent offences

A number of new offences have been introduced over recent years, including failure to prevent bribery (2011) and failure to prevent the facilitation of tax evasion (2017). A failure to prevent money laundering offence has also been proposed previously, but as of yet is not in force. The most recent addition is the new offence of failure to prevent fraud and further details on this development can be found on our “FTPF hub”.

The scope of the failure to prevent fraud offence extends beyond senior managers to all “associated persons” which includes all employees (whatever their level) as well as subsidiaries and third parties performing services for or on behalf of the corporate. This means that an in-scope “large” organisation (a corporate, wherever in the world it is based, that either alone or on a consolidated / aggregated basis with its subsidiaries, satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees; (ii) more than GBP 36 million turnover; and / or (iii) assets of more than GBP 18 million), could be guilty of failure to prevent fraud where it or its client has benefitted from a fraud committed by an employee / other associated person (or there was an intention it should benefit), irrespective of the employee / associated person’s level of seniority. The corporate does not have to be based in the UK as a UK nexus could also arise from other UK connections such as a gain or loss in the UK. Whilst the failure to prevent fraud offence applies to all corporates that meet the relevant test set out above, there are added implications for regulated financial services firms.

In ‘failure to prevent’ scenarios, the organisation is not prosecuted for the underlying conduct it has failed to prevent (e.g. fraud), and indeed there is no need for the relevant associated person to be prosecuted. Rather, the organisation is prosecuted (or a Deferred Prosecution Agreement is entered into with a prosecutor) for the offence of having failed to prevent the relevant conduct. In-scope organisations have a defence if they can demonstrate that either: (i) reasonable procedures were in place to prevent fraud; or (ii) it was not reasonable in all the circumstances to expect the organisation to have prevention procedures in place.

Attribution to the corporate of the acts of its senior managers

Since December 2023, certain economic crimes committed by “senior managers” acting within the scope of their actual or apparent authority, can be attributed to the company on whose behalf they are acting, for the purposes of holding that company criminally liable (s.196 Economic Crime and Corporate Transparency Act 2023 (ECCTA)). This is wider than the identification doctrine, which effectively meant that the corporate would only be accountable where the relevant crime was committed by a person or group of persons constituting the “directing mind and will” of the company (which in practice has become increasingly difficult for prosecutors to prove).

Unlike failure to prevent fraud, the effect of the new provision is that:

1. companies of all sizes are in scope and there is no need for an intention to benefit the organisation to be shown to establish liability;
2. corporates can be prosecuted for the underlying economic crime committed by the relevant senior manager (not just for failing to prevent it); but
3. it is only acts of a “senior manager” which are relevant for these purposes.

The provision is explicitly applied to overseas companies (s.196(4) ECCTA).

The meaning of “senior manager” under ECCTA is any person who plays a significant role in:

(a) the making of decisions about how the whole or a substantial part of the company or partnership's activities are to be managed or organised, or

(b) the actual managing or organising of the whole or a substantial part of those activities.

The Serious Fraud Office has noted that it expects this definition to be litigated. In a financial services context, this definition is far broader than a person approved to perform a controlled function under the Senior Managers and Certification Regime.

The economic crimes which are in scope of the new provision include, bribery, sanctions offences and money laundering offences, as well as the nine underlying fraud offences which are relevant to failure to prevent fraud. This means that if one of the underlying fraud offences is committed by a senior manager, a corporate could face prosecution for that fraud offence and/or for failure to prevent fraud. Conversely, if the fraud was not committed by a senior manager, the corporate could be liable for failure to prevent fraud but not the fraud itself.

In the context of failure to prevent fraud, an in-scope organisation can commit the offence if one of its associated persons has committed an underlying fraud offence. Associated persons can include other corporate entities such as subsidiaries. When considering whether a corporate associated person has committed one of the underlying fraud offences it may be necessary to identify whether relevant acts have been committed by a senior manager such that they can be attributed to the corporate associated person.

2. Upcoming developments

The Crime and Policing Bill (the Bill), which was introduced in the House of Commons on 25 February 2025 and is now (as of 1 April 2025) at the Committee Stage, proposes to widen the circumstances in which a corporate can be held criminally liable for any offence committed by a senior manager while acting within the actual or apparent scope of their authority. This will be achieved through extending the potential attribution of crimes committed by senior managers to include all criminal offences, not only economic crimes as is currently the case under ECCTA (s. 130 of the Bill).

The practical effect of the Bill will likely be that law enforcement agencies may find it easier to prosecute companies and partnerships for a broader range of offences including, for example, offences under environmental, data protection, modern slavery, and competition legislation as well as criminal insider dealing.

3. How to mitigate the risks associated with failure to prevent and attribution?

Against this background of increasing liability, there are a number of practical steps which companies can take to mitigate the risks associated with failure to prevent offences and senior manager attribution. We summarise some of these steps below:

• Risk-assessments can be adapted to cover the risk of committing relevant offences including by reference to historic issues or near misses, issues faced by industry peers, and relevant guidance (and by determining who is likely to be considered an “associated person” or senior manager, and which parts of their organisation are likely to be within the jurisdiction of the relevant offences).
• Policies and procedures can be enhanced where necessary to reflect the risk assessment and any gaps identified.
• Governance and tone from the top (including how those messages flow down through the organisation) remain important. This helps to reinforce expectations amongst all staff members, irrespective of their position and level of authority.
• Staff vetting both at the onboarding stage, but also by taking appropriate steps throughout the employment lifecycle, can assist in ensuring that staff behaviour remains aligned with the corporate’s expectations and the legal and regulatory requirements to which it is subject. There are several complexities to consider in this context, including data protection and employment law considerations.
• Training will help to re-emphasise the requirements and expectations that staff and associated persons need to be aware of on an ongoing basis. Using case studies and real-life examples can bring the training “to life” and help to encourage audience participation and engagement. Corporates may want to think about having tailored training modules for senior managers and for those in high-risk positions.
• Whistleblowing and internal investigation procedures are useful tools in identifying early on behaviour which may give rise to liability for the company and dealing with it effectively including by learning any lessons.
• Due diligence on third parties and M&A targets is an essential tool that may need upgrading to take account of new or enhanced potential exposure (together with implementation of appropriate monitoring mechanisms and contractual provisions).
• Monitoring and review on a periodic basis to testing compliance procedures can assist in ensuring they remain effective.