A guide to corporate criminal liability in England and Wales

Here, Dan Stowers and Lucy Ryczany from our business crime and compliance team present a guide to corporate criminal liability.

Find out what your company needs to know about the Economic Crime and Corporate Transparency Act 2023 and how to implement an effective compliance programme.

 

General principles of corporate criminal liability

A company is treated in law as a ‘legal person’ and is therefore capable of committing and being prosecuted for criminal offences committed by those acting on its behalf.

There are three ways in which a company can commit a criminal offence:

1. Through the identification doctrine — when a person who can be shown to be the ‘directing mind and will’ of a corporate commits an offence.
2. Where parliament has created specific criminal offences for corporates — for example, under the Bribery Act 2010 (failure to prevent bribery) the Criminal Finances Act 2017 (failure to prevent the facilitation of tax evasion) and under the Economic Crime & Corporate Transparency Act 2023, (failure to prevent fraud).
3. Through vicarious liability — a rule of law that holds a company (or person) responsible for actions committed by their employees or other third parties. This is generally used for regulatory offences that don’t require proof of fault and are known as strict liability offences.

 

Issues prosecuting companies

When it comes to prosecuting companies for the more serious financial crime offences, the identification principle is generally considered to be outdated and ineffective and has been criticised for failing  to keep up with the breadth and nature of business in the 21st century.

While debating the Economic Crime and Corporate Transparency Bill (now the Economic Crime and Corporate Transparency Act 2023) on 23 June 2023 in the House of Lords, Lord Sharpe of Epsom said:

“As companies have grown, their operations and governance have become spread across different areas, making it incredibly difficult to pinpoint the directing mind of a company, particularly in a large organisation.

Individuals with significant authority can escape corporate liability by asserting that the directing mind and will is elsewhere.

Meanwhile, there is an unfairness here. Smaller companies, perhaps with one or two directors, have much more easily identifiable directing minds, meaning that corporate liability is more easily attributable and a prosecution is more likely to be successful.”

The Chief Crown Prosecutor for the CPS recently stated that the scale of fraud in the UK represents over 40% of all criminal activity. It’s hardly surprising, then, that there has been a legislative shift with a focus on holding corporate entities to account for the criminal behaviour of those associated with them.

That shift has seen the introduction of failure to prevent offences, including a failure to prevent bribery offence in 2010 and failure to prevent the facilitation of tax evasion offence in 2017. These will be joined by a further (and much wider) failure to prevent fraud offence, after the Economic Crime and Corporate Transparency bill received Royal Assent on the 26 October 2023.

The Economic Crime and Corporate Transparency Act has been described as the “largest and most meaningful change to corporate criminal liability in decades” and is intended to bring about a “transformative effective on our ability to hold corporates to account for the actions of criminal individuals”.

In addition to the new failure to prevent fraud offence, the Act (among other things) will clarify and expand the identification principle to a wider group of individuals that are capable of criminally binding the corporate with their actions.

Lord Garnier distinguished the identification principle and the failure to prevent offences (during a debate in the House of Lords) as follows:

“…we must recognise the distinction between the identification principle and the amendment that the Government are bringing forward, which enables people lower down the corporate hierarchy to bring liability for criminal activities to the company.

That is to be distinguished from the failure to prevent regime, which is where the company is made liable for failing to prevent offences committed by its associates or other employees, sometimes overseas”.

 

The identification doctrine — the historical situation and the position under the new law 

Previously, under the common law provisions,a company could be held criminally liable if it could be established that an offence had been committed by an individual, who had the relevant mens rea, and was sufficiently senior within the corporate that they could be said to be the corporate’s ‘directing mind and will’.

The Government and prosecutors had long been critical of this doctrine, which some suggest was out of line with the evolution of business, where:

1. The true directing mind of a business may be unclear. There may be a number of legitimate reasons for this. For example, a corporate may operate through a board or behind a complex company or management structure which may involve multiple subsidiaries.
2. Senior managers with decision-making functions aren’t considered to possess a directing mind.
3. Difficulties in attributing corporate criminal liability mean that companies are often retaining the benefit from criminal conduct carried out by people associated with the business.

The Economic Crime and Corporate Transparency Act overhauls the common law position and make it much easier to attribute liability to the corporate by providing that the actions of a much broader scope of individuals — including senior managers while acting within the scope of their actual or apparent authority — are capable of binding the corporate in relation to relevant offences.

Identifying such individuals will require consideration of their individual role and decision-making ability, rather than just their job title. This will significantly lower the threshold for criminal liability.

The Government believes that this will “reduce the ability for corporations to use complex management structures to conceal who decision makers are and therefore level the playing field for business of all sizes”.

Presently, a relevant offence covers a wide range of economic crime offences, including:

• Conspiracy to defraud.
• Cheating the public revenue (e.g., tax evasion).
• Various offences under the Financial Services and Markets Act 2000 (FSMA) including:
  • Section 23, FSMA (carrying on an FCA regulated activity without authorisation of the FCA).
  • Section 25, FSMA (communicating a financial promotion unless the communication is made or approved by an FCA authorised person or falls within an exemption).
  • Section 398, FSMA (knowingly or recklessly giving false or misleading information to the FCA or PRA).
• Theft.
• False accounting.
• False statements by company directors.
• Fraudulent evasion of duty.
• Fraudulent evasion of VAT.
• Fraudulent trading.
• Any of the substantive money laundering offences.

However, in addition to the Secretary of State's ability to amend the schedule of relevant offences caught by the Act it's anticipated that further and hugely significant changes are set to be introduced under the Criminal Justice Bill — which will see the criteria for corporate criminal liability expanded further. The Bill continues to be debated and we are yet to see if it will become law.   

Under the proposed bill, ‘relevant offences’ defined in the Economic Crime and Corporate Transparency Act will be replaced by an ‘all offences’ provision — significantly broadening the scope of corporate criminal liability.

The Criminal Justice Bill proposes that ‘a corporate body or partnership’ will ‘be held criminally liable where a senior manager commits any offence while acting within the actual or apparent authority granted by the organisation’.

 

Failure to prevent offences

Bribery Act 2010 — failure to prevent bribery

The Bribery Act introduced the first in a series of ‘failure to prevent’ offences, making it a corporate criminal offence when a corporate fails to prevent a person associated with the company from bribing another with the intent to secure business or gain a commercial advantage.

The offence applies to all UK corporations or partnerships formed in the UK, irrespective of where it carries on business.

The Act also creates a defence where a corporate can demonstrate that adequate procedures were in place to prevent an associated person from engaging in such conduct. Where a corporate doesn’t have such procedures in place and bribery occurs, it will commit an offence and could be prosecuted.

Corporate penalties include:

• unlimited fine
• debarment from public contracts
• confiscation order
• compensation order
• serious crime prevention order
• deprivation order or financial reporting order.

In addition to the penalties, you can expect significant legal costs when defending and dealing with the matter, as well as disclosure to professional regulators (where relevant), HR costs and adverse publicity.

The individuals concerned may receive an unlimited fine and/or ten years in prison and be exposed to additional ancillary orders.

 

Criminal Finances Act 2017 — failure to prevent the facilitation of tax evasion

Similar to the Bribery Act 2010, the Criminal Finances Act 2017 creates a failure to prevent offence where an associated person facilitates, during the course of business, the criminal evasion of:

• UK tax, or
• foreign tax.

In such circumstances, the corporate will be exposed to criminal liability. The scope of the offence is wide. The UK offence applies to any corporate, anywhere, that fails to prevent the facilitation of UK tax evasion by an associated person. Therefore, for example, a company incorporated in Germany that facilitates the evasion of UK tax is at risk under the Act.

The foreign tax evasion offence is slightly different and requires a UK nexus. This means that the corporate (referred to as a “relevant body” in the Act) must be either:

1. Incorporated in the UK (for example, a UK company with a subsidiary in Germany which evades German tax — there will be a UK Nexus).
2. Carrying on business (or part of its business) in the UK (for example, a French parent company with a UK subsidiary branch, where the French parent fails to prevent French tax evasion — there will be a UK nexus).
3. Facilitating any aspect of foreign tax evasion in the UK (for example, an Indian company with no UK presence that pays its suppliers in cash while in the UK to avoid Indian taxes — there will be a UK Nexus).

To succeed in prosecuting the foreign tax evasion offence, there is one final element that the prosecution will need to prove — ‘dual criminality’. This requires the prosecution to prove that both the tax evasion and facilitation are offences in both the UK and the country in which the offences were committed.

Similar to the Bribery Act 2010, a corporate has a defence (which may result in the company not being prosecuted) if it can demonstrate that it had reasonable procedures in place to prevent the facilitation of criminal tax evasion or that it was not reasonable to expect it to have any prevention procedures in place. It is this latter point where the Criminal Finances Act differs from the Bribery Act in respect of the defence.

Similar to the Bribery Act, the penalties on conviction include:

• unlimited fine
• potential for 200% tax penalties on the tax due
• debarment from public contracts
• confiscation order
• compensation order
• serious crime prevention order
• deprivation order or financial reporting order.

In addition to the penalties, you can expect significant legal costs when defending and dealing with the matter, as well as HR costs and adverse publicity. The individuals concerned in the evasion may receive an unlimited fine and/or a prison sentence and be exposed to additional ancillary orders.

 

Economic Crime & Corporate Transparency Bill — failure to prevent fraud

The Economic Crime & Corporate Transparency Act received Royal Assent on the 26 October 2023, meaning that the provisions will become law. The Government welcome the Act as the introduction of ‘world leading powers which will allow UK authorities to proactively target organised criminals and others seeking to abuse the UK’s pen economy’.

The introduction of the Economic Crime and Corporate Transparency Act heralds one of the biggest reforms of economic crime legislation in recent years and is described by the Director of the Serious Fraud Office as being a “game changer for law enforcement”.

Under Section 199 of the Act, a corporate (described as a “relevant organisation”) will be liable where a specified fraud offence is committed by an associated person (including employees, agents, subsidiaries or any person who performs services for the relevant organisation) for the organisation’s benefit and where the organisation did not have reasonable fraud prevention procedures in place to prevent the fraud (the defence).

It's important to note that:

• An offence is committed even where the company’s management did not order or know about the fraud.
• The proceeds of any fraud (the criminal properties derived from it) are also very likely to engage other criminal offences in relation to money laundering (as will offences under the Bribery Act 2010 and Criminal Finances Act 2017).
• In common with the corporate offence in the Bribery Act 2010 and the Criminal Finances Act 2017, this new offence is one that may be subject to a deferred prosecution agreement (DPA).

The offences that are in scope for the new failing to prevent offence include:

• Cheating the Public Revenue
• False Accounting (Section 17 of the Theft Act 1968)
• False Statements by Company Directors (Section 19 of the Theft Act 1968
• Fraudulent Trading (Section 993 Companies Act 20006)
• Fraud (Section 1 of the Fraud Act 2006)
• Participating in Fraudulent Business (Section 9 of the Fraud Act 2006)
• Obtaining Services dishonestly (Section 11 of the Fraud Act 2006)

Note that the schedule of offences currently captured by Failure to Prevent Fraud offence may be amended by the Secretary of State to add or remove offences.

• fraud by false representation (section 2, Fraud Act 2006)
• fraud by failing to disclose information (section 3, Fraud Act 2006)
• fraud by abuse of position (section 4, Fraud Act 2006)
• obtaining services dishonestly (section 11, Fraud Act 2006)
• participation in a fraudulent business (section 9, Fraud Act 2006)
• false statements by company directors (section 19, Theft Act 1968)
• false accounting (section 17, Theft Act 1968)
• fraudulent trading (section 993, Companies Act 2006)
• cheating the public revenue (common law).

The offence will apply to 'Large Organisations' that meet two of the three following criteria:

• More than 250 employees.
• More than £36 million turnover.
• More than £18 million in total assets.

Importantly, the impact of the offence will be kept under review and these thresholds can be amended through secondary legislation if required.

While the thresholds seem high, the reality is that they capture almost every FTSE- and AIM-listed company. Moreover, the offence applies to a subsidiary of a parent if the group — which includes the parent and subsidiaries — meets the criteria set out above. This will considerably widen the scope of the offence.

The offence applies across the UK, with equivalent offences in Scotland and Northern Ireland. The offence has extraterritorial reach and will be committed by an overseas organisation where the employee commits a relevant fraud offence under UK law or targets UK victims. A company convicted of this offence may receive an unlimited fine.

Although not explicitly stated — and while fraught with difficulties — we also anticipate that following any conviction, the company may be subject to confiscation proceedings. It is also envisaged that companies will receive (in appropriate circumstances) Serious Crime Prevention Orders. This is a civil order designed to prevent and disrupt serious and organised crime and can be imposed in the High Court as a ‘standalone’ order but is mostly obtained in the Crown Court after conviction.

 

Vicarious liability

As with other corporate offences, the ‘failure to prevent’ offences, are ones of strict liability for which the corporate will be held vicariously liable for the actions of its employees, agents and other associated persons.

In relation to offences of vicarious liability, the company doesn’t need to be complicit, have the intention of or even know about the commission of an offence within the business.

Instead, where a company fails to prevent the commission of an offence by an associated person within its business, it will itself commit a criminal offence and be held liable for the actions of its associated persons — unless it’s able to demonstrate that it had adequate or reasonable preventative procedures in place.

There are a number of additional, existing and far reaching corporate offences for which a company could be held vicariously liable.

As with the failure to prevent offences — which provide a defence where a company can demonstrate that reasonable or adequate procedures are in place — there may also be specific corporate defences provided by the relevant legislation.

 

What do you (and your business) need to do?

Undoubtably, when it comes to compliance with financial crime legislation, ‘prevention is better than cure’.

We would advise that you revisit your organisation’s corporate compliance programme. A compliance programme has been defined as “an organisation’s internal systems and procedures for helping to ensure that the organisation — and those working there — comply with legal requirements and internal policies and procedures”.

 

Compliance culture

Creating a robust compliance culture is fundamental to the prevention of fraud and other regulatory breaches within a corporate organisation. It also provides an organisation with strong arguments against prosecution and/or in mitigation if an organisation is prosecuted.

The UK’s Serious Fraud Office states in its guidance — which will be followed by other law enforcement bodies generally — that a proactive approach and effective compliance programme is a public interest factor against prosecution, whereas a weak and ineffective programme may tend towards prosecution.

A good place to start is through the adoption of a holistic approach to compliance. In doing so, consideration can be given to the interplay of bribery, tax evasion, fraud, money laundering and more.

In relation to tax evasion and bribery, guidance on the steps that a business should take is available from the Ministry of Justice and HM Revenue & Customs. However, the guidance is generic and aimed at all organisations from SMEs through to PLCs. The guidance tends to represent guiding principles and can be supplemented with guidance from various industry and trade bodies, including (for example) UK Finance, the Joint Money Laundering Steering Group and the Law Society, to name a few.

 

Adequate and reasonable procedures

Despite similarities in the defences offered by the legislation referred to above, the Bribery Act differs from the Economic Crime and Corporate Transparency Act and Criminal Finances Act in that it requires a company to have ‘adequate procedures’ in place to prevent the commission of an offence (as opposed to ‘reasonable procedures’).

Nonetheless, both tests require corporate bodies to ensure that they have identified areas within the business that are exposed to the relevant risks, then implement and evidence the existence of corporate crime compliance policies to ensure “that the organisation — and those — working there comply with legal requirements and internal policies and procedures”.

The government has yet to release its reasonable procedures guidance in relation to the failure to prevent fraud offence, but we can be sure that it will not be sufficient to adopt a generic policy to appease the legislative requirement. There will be no one-size-fits-all corporate compliance jumper that will protect your business from prosecution.

Generally speaking, businesses should consider the following when implementing their compliance programme:

1. Tone from the top — ensuring that senior management are actively involved and engaged in compliance. Simply ‘talking the talk’ isn’t enough.

2. Risk assessment — the concept of risk assessments are likely to be a familiar feature for many businesses and indeed many will already have conducted some form of financial crime assessment, particularly those engaged in the financial regulated sector. The importance of assessing financial crime risk is obvious — without doing so, a business won’t be able to identify, document and implement the necessary steps required to reduce and mitigate the risk to the business. Any risk assessment will need to be reviewed and updated periodically and after any changes are made to business operations.

3. Proportionate policies and procedures — if a corporate can demonstrate that it has put in place reasonable and/or adequate procedures that effectively identify and mitigate the financial crime risk it faces — whether it be bribery, fraud or tax evasion — then the risk of prosecution is considerably reduced. What those policies and procedures look like and how they’re implemented will depend on (among other things) the corporate’s size, jurisdiction and the sectors it operates in. It’s important to understand that these policies are likely to form part of a wider suite of policies and procedures that engender the ethical and responsible behaviours of a robust compliance culture.

4. Due diligence — in a generic financial crime context, due diligence refers to the steps that are taken to inform an organisation of the risk associated with dealing with persons or organisations that perform (or will perform) services on its behalf, in order to identify and mitigate the risks associated with that relationship. It’s particularly important to undertake due diligence given the wide scope of those who might be considered ‘associated persons’ and render the organisation liable for their criminal activity. The due diligence will of course vary depending on the risk associated with the relevant activity — for example, in higher risk situations, due diligence and monitoring may be extensive.

5. Monitoring and review — business is rarely static. Businesses change and evolve, and risks ebb and flow. As such, the guidance recommends that compliance programmes be monitored and reviewed to identify any necessary changes. Monitoring can take many forms, both internal and external, and can include:

• internal and external audits
• staff questionnaires
• periodic ‘at seat’ risk assessments
• reporting to board (consideration and approval).

6. Communication and training — having a full suite of policies and procedures won’t help a corporate if its people (including those associated with it) are unaware of their obligations, responsibilities and the way in which their behaviour can impact the business.

Guidance in relation to the existing failure to prevent offences suggests that businesses should deliver anti-financial crime and unethical conduct messages clearly and develop training programmes to ensure that the right training is given to the right staff to ensure compliance with the financial crime compliance programme.

This training should commence at the point of onboarding new staff members and continue throughout their employment with periodic updates and reviews. Given the proposed new failure to prevent fraud offence and the proposed widening of the identification doctrine, businesses with existing training regimes should revisit the nature and scope of their training.

 

Undertake financial crime corporate due diligence enquiries

A company’s due diligence shouldn’t be considered in isolation. It’s important to be aware that the interpretation of ‘associated persons’ is (and will continue to be) far reaching. As a consequence, it’s important to be aware that — together with employees and agents — the actions of individuals working within a corporate’s supply chain or a partnering firm may — depending on the facts of a given case — be capable of binding a company with criminal liability.

Therefore, when forming business relationships, it’s vital that due diligence is conducted both internally and externally as part of a corporate’s reasonable/adequate procedures. This will help to understand and identify the adequacy of other corporates’ compliance policies. This includes ensuring that commercial contracts contain the necessary financial crime clauses that deal with (for example) anti-bribery, tax evasion, money laundering, fraud and insider dealing.

The process of investigating the financial circumstances and business practices of a company that is being considered for (or is already part of) your supply chain should be part and parcel of business life. This is a critical process and one where the relevant parties need to gather as much information as necessary to determine suitability and identify risk.

Similarly, when considering the suitability of a corporate merger or acquisition, further risk exists. The historical actions of a company’s associated persons may be capable of attributing corporate criminal liability and therefore, unless the right due diligence is undertaken, the buyer may end up acquiring a business with a legacy of undiscovered criminal liability which will remain until resolved.

In effect, inadequate corporate due diligence in the context of a merger or acquisition could lead a buyer to acquire a corporate marred with criminal liability. While this risk can never be fully eliminated, effective and thorough financial crime due diligence allows for the financial crime red flags to be identified and demonstrates a proactive financial crime compliance agenda.

Such enquiries will include asking for evidence of anti-bribery, tax evasion, fraud, money laundering and sanctions policies and procedures.

This includes:

• Details of any infringements, investigations and prosecutions.
• Details of reports to regulators and law enforcement.
• Details of financial crime disciplinary matters.
• Details of any internal investigations in relation to financial crime-related matters.
• Details of the internal risk and compliance team, including the money laundering reporting officer.
• Copies of all financial crime policies and procedures.
• Training programme details and records.
• Risk assessments, including KYC, source of funds and wealth checks (where appropriate).
• Internal and external audit findings.
• Evidence of ongoing monitoring.
• Details of whistleblowing policies and procedures.
• Details of any conduct, internal and external reporting.
• HR policies, including details for enforcing misconduct.
• Associated party due diligence, including policies, training and monitoring.
• Internal investigation policies and processes.

 

Talk to us

To discuss your company’s corporate criminal compliance programme — including its compliance culture, policies, procedures and legal due diligence — please complete our contact form below.

Please note that nothing on this page should be treated as constituting legal advice.