On November 6, 2024, the U.K.'s Home Office issued Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (the Guidance). The Guidance provides an overview of the Economic Crime and Corporate Transparency Act (ECCTA), which establishes an offense whereby an organization can be criminally liable when an "associated person" (anyone who performs services for or on behalf of the organization) commits fraud with the intent to benefit the organization. The Guidance also outlines procedures that organizations can put in place to help them prevent fraud and, in so doing, satisfy the defense available to organizations that had "reasonable procedures in place to prevent fraud" at the time of the misconduct. The procedures defined by the Home Office cover many of the compliance expectations set forth by U.S. Department of Justice (DOJ) in its Evaluation of Corporate Compliance Programs (ECCP), which was recently updated in September 2024. However, the Guidance includes both additional and more detailed expectations, particularly to address fraud risk, which corporations with U.K. connections will need to consider when evaluating their compliance programs.

Scope of the ECCTA

The ECCTA, which passed into law in October 2023 and will take effect in September 2025, establishes the failure to prevent fraud offense for "large organizations." Large organizations are corporations satisfying any two of the following three characteristics: having 250 or more employees, having turnover of at least 36 million pounds, or having assets of at least 18 million pounds. The legislation applies to non-U.K. entities so long as an associated person commits an underlying U.K. fraud offense, which requires an act taking place in the U.K. or a loss, gain, or victim in the U.K. resulting from that act. 

Reasonable Procedures

A defense to the ECCTA fraud offense is available to organizations that had "reasonable procedures in place to prevent fraud" at the time of the misconduct. In defining reasonable procedures, the Guidance follows a framework of six principles for fraud prevention. Many of the elements it outlines mirror DOJ guidance found in the ECCP and in other DOJ resources, so companies that have adapted their policies and procedures to align with these DOJ resources will be well-positioned to comply with the Guidance. However, the Guidance contains certain points of emphasis that merit noting as distinct from the ECCP. 

Top-Level Commitment

This section largely mirrors guidance in the ECCP about "tone and conduct from the top," urging that senior management must be committed to preventing fraud. Unlike the ECCP, the Guidance does not address the activities of middle management, but does include additional detail on where senior management should support compliance programs. The Guidance calls for senior management to issue specific messaging in communications regarding the organization's stance on preventing fraud (e.g., formal statements regarding the organization's "commitment to reject fraud, even if this results in short term business loss, missed opportunities or delays" and an "articulation of the business benefits of rejecting fraud (reputational, customer and business partner confidence)"). The Guidance directs senior management to "lead by example" and "foster an open culture" including by "pointing out the effects of fraud on the business, other colleagues, the sector and public trust." 

Similar to the ECCP, the Guidance also expects senior leadership to support the compliance function of the organization, including its access to the board of directors and ensuring it has adequate resources, particularly with respect to training. 

Risk Assessment

The structure of the risk assessment section in the Guidance represents perhaps the starkest difference in approach compared to the ECCP. Although both focus on dynamic, ongoing risk assessment using holistic analysis, the Guidance sets out more specific step-by-step instructions organizations should use to classify and assess risk. This guidance incorporates concepts embedded in the Enterprise Risk Management (ERM) process, perhaps recognizing that some companies have yet to deploy formal ERM or other risk assessment processes and that others' efforts are in various stages of sophistication. 

First, the Guidance recommends organizations identify "typologies" of associated persons and circumstances that may be ripe for fraud attempts. This process includes a two-step inquiry, first classifying the associated person (e.g., agents, contractors, "staff in specific sensitive roles") and then identifying circumstances in which that category of person is likely to attempt fraud falling under the targeted offense.

Next, the Guidance discusses establishing typologies of risk using the "fraud triangle" framework: opportunity, motivation, and rationalization. The Guidance establishes a list of questions that organizations should ask in evaluating each of these elements. Opportunity for fraud focuses on weak controls and inadequate oversight; motivation probes potential sources of financial stress and incentivization of fraud to meet targets; and rationalization assesses cultural and industrial challenges that may promote fraud. The Guidance also recommends classifying "inherent risks" — those that exist before additional prevention measures are established — by likelihood and impact.

Lastly, the Guidance includes a brief section on emergency scenarios, noting that fraud risks may increase during "events that pose a risk of widespread loss of life or damage to property, or significant financial instability, and that require ameliorating action by the authorities." This section is likely a reaction to the significant increase in fraud that occurred during the COVID-19 pandemic. The Guidance stresses that assessing risk arising out of emergencies is part of establishing reasonable fraud prevention measures for purposes of the defense. The impact of emergencies is an area that DOJ guidance does not contemplate and thus warrants particular focus for companies with U.K. ties.

Proportionate Risk-Based Fraud Prevention Procedures

This section of the Guidance is organized using the aforementioned fraud triangle and discusses how to reduce opportunities and motives for fraud and rationalization of fraudulent behavior. Like the DOJ's ECCP, the Guidance advises implementing risk-based procedures, establishing consequences for committing fraud, conducting external benchmarking, and testing fraud prevention measures. However, in keeping with the preceding section, it also touches on the importance of establishing procedures in line with risk assessment for emergency scenarios.

Due Diligence

The due diligence section of the Guidance is brief, but it provides specific recommendations for best practices whereas the ECCP speaks more generally about the need for adequate due diligence. The Guidance recommends "using appropriate technology, for example, third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks if appropriate." Interestingly, the Guidance encourages "monitoring of well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets or workload." This point illustrates a theme of the Guidance, which is a highly individualized approach to fraud prevention tailored to each associated person. Like the ECCP, this section also includes guidance pertaining to due diligence surrounding mergers and acquisitions.

Communication

The communication section outlines tools for ensuring that an organization's fraud prevention policies and procedures "are communicated, embedded and understood throughout the organisation, through internal and external communication." Like the ECCP, in addition to emphasizing the importance of messaging, the Guidance highlights both training and whistleblowing. However, where the ECCP is structured using questions companies should ask themselves in self-evaluating, the whistleblowing recommendations in the Guidance contains a list of tangible measures organizations should consider implementing, including establishing board level oversight of whistleblowing and consulting trade unions about "the content of formal systems for receiving concerns raised by whistleblowers."

Monitoring and Review

Given the narrowed focus of the underlying legislation, the monitoring and review section is focused on detection and investigation of fraud offenses and monitoring the effectiveness of fraud prevention. The Guidance includes a list of questions targeted at fraud detection measures, which tie in elements from several of the preceding sections. Like the ECCP, the Guidance asks about whether data analytics tools and artificial intelligence (AI) are used to aid detection and whether whistleblowing procedures are clearly communicated to staff and associated persons. Also like the ECCP, the Guidance includes a subsection specific to investigations; however, its focus is more general, while the ECCP drills down on the nuts and bolts of investigations. For example, the Guidance generally prompts organizations to consider questions such as what factors determine whether investigations are conducted internally or externally and "what arrangements are in place for learning from investigations." (This last piece echoes the ECCP's question regarding how the program incorporates learnings from "manifested risk.")

Although not binding, the Guidance provides key insights into what U.K. courts might consider when assessing whether companies satisfy the reasonable procedures defense to the ECCTA offense. Companies that have adopted compliance programs consistent with the DOJ's ECCP will be able to satisfy much of the Guidance, but additional consideration of fraud-related risks and mitigation strategies may be needed to fully satisfy the Guidance before the ECCTA enters into force on September 1, 2025. 

For more information, please contact:

James G. Tillen, jtillen@milchev.com, 202-626-6068

Katie Cantone-Hardy, kcantonehardy@milchev.com, 202-626-5885

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. In particular, we note that Miller & Chevalier is a U.S. law firm and does not practice in the U.K. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.