21 Feb 2024

New Fraud Prevention Offense May Not Make Much Difference

The new failure to prevent fraud offense has many devotees, not least the former Serious Fraud Office director Lisa Osofsky, who proclaimed it “a game changer for law enforcement.”[1] But whose game is being changed? And to what end?

Andrew Smith addresses these questions by examining the breadth — but also the ambiguity — of the new offense.

The New Offense

Section 199 of the Economic Crime and Corporate Transparency Act
2023, or ECCTA, provides that a large organization commits the failure to prevent fraud offense if it fails to prevent an associated person from committing a fraud offense, where the associated person intends to benefit, directly or indirectly, either:

  • The organization; or
  • The person to whom, or to whose subsidiary, the associated person provides services
    on behalf of the organization.

Qualifying fraud offenses are listed in Schedule 13 to the ECCTA.[2]

The organization is not guilty of the failure to prevent fraud offense if it is, or is intended to be, a victim of the fraud offense. The organization has a defense if, at the time of the fraud offense, it had in place reasonable fraud prevention procedures.

While the failure to prevent fraud offense is narrowly drafted in terms of who can commit it, i.e., only large organizations, it is broadly and ambiguously drafted in terms of how it can be committed.[3]

Section 201 of the ECCTA defines a large organization as one in which two or more of three measures are exceeded: turnover of £36 million ($45.6 million); a balance sheet total of £18 million; or 250 employees.

Two features exemplify this point. First, the array of fraud offenses that the organization must prevent. Second, the fact that the organization is guilty if the associated person commits a fraud offense with a mens rea framed by reference to undefined concepts of “benefit” and “victim.”

An Array of Fraud Offenses

The two predecessor failure to prevent offenses concern well-defined, relatively narrow types of criminality — bribery and tax evasion. These offenses are most likely to be committed in particular departments of an organization and the third parties those departments routinely deal with — bribery in procurement, or sales and tax evasion in the tax department.

In contrast, fraud can be committed in a myriad ways by any director, employee or third party; it risks permeating any type of commercial activity conducted within, and by, the organization.

The amorphous nature of fraud is reflected in the Schedule 13 list of no fewer than nine wide-ranging offenses, all of them conduct-based, i.e., they are committed where the associated person intends, by means of their conduct, to bring about certain results. It is not necessary to prove any resulting loss or damage.

The Schedule 13 offenses all require proof of dishonesty, except Section 19 of the Theft Act 1968, which requires an intention to deceive. The inclusion of an offense not based on dishonesty is curious but not anomalous.

Dishonesty is not a necessary element of fraud. A deceit-based offense such as Section 19 is still a fraud offense. Nonetheless, its inclusion in Schedule 13 highlights the sheer breadth of the conduct the organization must prevent.

That the organization can also be guilty on the basis of inchoate offending by the associated person, i.e., through that person’s aiding, abetting, counseling or procuring of the fraud offense makes the conduct the organization must prevent broader still.

The Terms “Benefit” and “Victim”

Having thus broadened the foundations of the failure to prevent fraud offense, the ECCTA introduces the ambitious but ambiguous requirement that the prosecutor consider three facets of the associated person’s state of mind.

  • The organization is only guilty if the associated person has the mens rea that is a necessary element of the Schedule 13 fraud offense, i.e., dishonesty or intent to deceive.
  • The organization is only guilty if the associated person commits the Schedule 13 fraud offense with an additional mens rea of intending to benefit the organization or the person to whom the associated person provides services on behalf of the organization.
  • However, the organization is not guilty if the associated person commits the Schedule 13 fraud offense with the mens rea of intending the organization to be a victim of the offense.

The words “benefit” and “victim” do not feature in the predecessor failure to prevent offenses concerning bribery and tax evasion. Given their novelty and significance to whether the organization commits the failure to prevent fraud offenses, it is surprising that the ECCTA does not define them.

What, then, does the term “benefit” mean in this context? Most criminal lawyers will immediately think that a person benefits if they obtain property — including real, personal and intangible property — as a result of their conduct, given that this is its definition in Section 340(5) of the Proceeds of Crime Act 2002.

Assuming the same meaning of benefit applies to the ECCTA, there will be circumstances in which an associated person commits the Schedule 13 fraud offense — because they acted dishonestly — but without the organization committing the failure to prevent fraud offense
— because the associated person did not intend the organization to benefit from their conduct.

Where, for example, an employee dishonestly makes a false representation contrary to Sections 1 and 2 of the Fraud Act 2006, their intention may be to cause loss to a commercial competitor of their employer out of unmitigated spite, with no intention to benefit themselves or another.

In these circumstances, the associated person has the necessary mens rea — dishonesty and the intention to cause loss to another — to commit a Schedule 13 fraud offense, but lacks the necessary mens rea — the intention to benefit their employer organization — to render the organization liable for the failure to prevent fraud offense.

Turning to the term “victim,” the use in the ECCTA of the indefinite article, i.e., a victim, presupposes, rightly, that there can be multiple victims of the same fraud.

If the organization can show it was one of the intended victims of the associated person’s fraud, it does not commit the failure to prevent fraud offense, even though there may be other victims who have lost, or who stood to lose, significantly more.

Where, for example, a director makes a false statement intending to deceive shareholders about the company’s financial affairs, contrary to Section 19 of the Theft Act 1968, those shareholders are not necessarily the only intended victims of the fraud; the director may also be seeking to enrich themselves personally at the company’s expense.

Here, the associated person has the necessary mens rea — the intention to deceive shareholders — to commit a Schedule 13 fraud offense and an additional mens rea — the intention to cause loss to their company — meaning the organization is not liable for the failure to prevent fraud offense.

As such, it is important to consider the small but undefined words “benefit” and “victim” when determining whether the organization has committed the failure to prevent fraud offense.

By focusing on facets of the associated person’s state of mind other than the mens rea relevant to the underlying fraud offense, they provide fertile ground for negotiation between an investigator and corporate suspect about the associated person’s true intentions: Whom exactly did their offending intend to benefit and whom did it intend to harm?

Who Is the Actual Victim?

When analyzing the word “victim,” the associated person’s intentions are not the end of the matter. The ECCTA is clear that liability also turns on whether the organization is in fact a victim of the associated person’s conduct, regardless of that person’s intentions.

Where, for example, an associated person’s intentions in committing the Schedule 13 fraud offense go awry and bring about unintended consequences that harm the organization, then the organization, as a victim of the fraud, is not liable for the failure to prevent fraud offense.

Suppose a third-party auditor dishonestly signs off on a financial statement for the organization that includes revenue numbers they know are false. The auditor has committed false accounting under Section 17 of the Theft Act 1968, while the organization will need to investigate whether the evidence suggests that the auditor’s intention was to benefit himself or his audit firm, rather than the organization.

The organization might be able to argue that any financial benefit the auditor intended the organization to receive, e.g., shareholder confidence or investment on publication of the financial statement, was illusory, since it was constructed on false figures.

The facts may even suggest that the auditor’s intention was achieved by misleading the organization’s in-house audit team about the appropriateness of the accounting treatment. If so, the organization may be able to argue that, regardless of the auditor’s intention, it
has, as a matter of fact, become a victim of the dishonesty — since its employees were deceived, and it has lost money as a result of the fraud.

It is not difficult to conceive of other circumstances where an organization may have been an intended beneficiary of the associated person’s fraud at the outset, but as a result of how the fraud was perpetrated and whether the associated person’s intentions were realized, the
organization became an intended or actual victim.

The terms “benefit” and “victim” are fluid, ambiguous concepts upon which the key participants in a long-running and complex fraud may have competing claims.

This is not simply empty theorizing or semantics: It was one of the issues debated in the SFO’s unsuccessful High Court of England and Wales bid to secure a voluntary bill of indictment against Barclays PLC in the 2018 case of Serious Fraud Office v. Barclays PLC.

Leading counsel for the SFO had argued that the bank, even as a dishonest coconspirator, could issue contribution and indemnity proceedings against its coconspirator directors and could even launch a private prosecution of them.

Justice William Davis disagreed, saying that this “would tend to support the point that Barclays had not simply been a beneficiary of the conspiracy but had in truth been a victim of deception.”[4]

Who Can Commit the Offense?

To return to the questions posed at the start of this article: Whose game is being changed? And to what end?

As matters stand, only large organizations can commit the offense. They cannot simply replicate their existing anti-bribery and anti-tax evasion procedures in the anti-fraud arena. The breadth and ambiguity of the new offense means that only a tailored approach focusing
on business-specific risks is likely to be sufficient to afford a defense of reasonable procedures.

The most striking impact of the offense, however, is that it will affect so few companies. Having introduced such ambitious breadth and ambiguity regarding how it can be committed, Parliament has ultimately narrowed down who can commit it.

Because it will not apply to over 99% of commercial activity in England and Wales, the much-heralded game-changer will, in reality, have little impact in fighting fraud.

Concluding Thoughts

The offense will likely make no difference to the vast majority of ordinary or vulnerable people who are victims of the often life-destroying internet, investment or other scams that comprise so much of the so-called fraud epidemic.

By targeting only the largest companies, significant fraud investigations will fall further into the hands of well-resourced companies and their professional advisers, leading to more deferred prosecution agreements, corporate pleas and eye-watering financial settlements.

Moreover, as the Bribery Act 2010 demonstrates, it will likely lead to inadequate investigation of individuals who may be complicit in the fraud, resulting in fewer prosecutions or prosecutions brought on insufficient evidential foundations.

Yet, given the lack of adequate resourcing for fraud enforcement by the SFO, the Crown Prosecution Service and others, the failure to prevent fraud offense is arguably the only practical or rational response.

Like the two existing failure to prevent offenses, the primary aim of this offense is to change corporate culture rather than secure convictions. Perhaps it is better for the private sector to police some fraud that the public sector is incapable of policing.

Indeed, that may well become the lasting impact of the new offense: Banks and big data companies now face the challenging prospect of policing their platforms for the types of fraud committed by their users that not only enrich the fraudsters but bring additional
financial benefit to the organization.

As with the anti-money laundering legislation created in the late 1990s and early 2000s, the corporate world is being asked, on pain of criminal sanction, to guard the gates and protect consumers.

[1] https://www.gov.uk/government/news/new-crackdown-on-fraud-introduced-by-home-office.
[2] Section 200 empowers the Secretary of State to add or remove offenses from Schedule 13 but only offenses of dishonesty, offenses of a similar character to the existing offenses or money laundering offenses contrary to sections 327-329 of the Proceeds of Crime Act 2002 may be added.
[3] Note that the Secretary of State has the power under section 201(7) to abolish by regulations the limitation so as to bring all organizations within the new offense or otherwise vary the reach of the offense.
[4] Serious Fraud Office v Barclays plc and another [2018] EWHC 3055 (QB) at para 127.

This article was published originally in Law360 on the 20th February 2024.

Latest Insights


April 17 2024


April 11 2024


April 4 2024