The Impact on D&O Insurers of the UK’s Economic Crime and Corporate Transparency Act and the ‘Failure to Prevent Fraud’ offence

The Failure to Prevent Fraud Offence

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is the government’s latest effort to legislatively combat economic crime in the UK. The Act introduces, among other things, a new strict-liability corporate criminal offence of ‘failure to prevent fraud’, which seeks to hold organisations to account when they profit from fraud offences committed by their ‘associates’.

This follows the ‘failure to prevent bribery’ and ‘failure to prevent tax evasion’ offences introduced by the Bribery Act 2010 and the Criminal Finances Act 2017 respectively.

While ECCTA gained Royal Assent on 26 October 2023, the new failure to prevent fraud offence will not come into force until 1 September 2025. The offence will apply to large companies and LLPs with at least two of the following criteria: a turnover of more than £36 million; total assets of more than £18 million; and/or more than 250 employees.

Organisations will be liable for fraud offences committed by an ‘associated person’, which includes a company’s employees, agents, subsidiaries and anyone else who may perform services for or on behalf of an organisation.

There are nine specified offences, including fraud by abuse of position, false statements by directors, false accounting and fraudulent trading.

The offence will carry a degree of extra-jurisdictional reach, where companies outside of the UK but with a ‘UK nexus’ will still need to ensure appropriate fraud prevention measures. A ‘UK nexus’ means that either: a) one of the acts which formed part of the underlying fraud took place in the UK, or b) the gain or loss occurred in the UK. This means that overseas companies with UK-based employees, subsidiaries, agents, investors or even customers will be in scope.

One of the defences (the other being that the organisation was the victim of the fraud) is where the organisation can demonstrate either that it had reasonable fraud prevention procedures in place, or that it was not reasonable to expect the organisation to have such procedures. Recent government guidance has outlined 6 principles for developing reasonable fraud prevention frameworks, which closely resemble the principles developed in the existing ‘failure to prevent bribery’ and ‘failure to prevent tax evasion’ offences: (i) top level commitment, (ii) conducting risk assessments, (iii) establishing proportionate risk-based prevention procedures (iv) due diligence, (v) communication and training, and (vi) monitoring and review.

We expect that prosecutors will use the Act to investigate potentially fraudulent directors’ reports, including any dishonest ESG, EDI, AI and Modern Slavery transparency statements, and insurers may need to prepare for an increase in notifications in this area.

The extreme severity of related fines for economic crime has attracted attention recently, with £280M awarded after Glencore pleaded guilty to 7 counts of bribery in 2022. This was followed by the SFO charging five former Glencore employees in August 2024 with conspiracy to make corrupt payments. Whilst fines are unlikely to be covered under the policy, the costs of defending these investigations may still test policy limits.

Insurers, particularly D&O providers, should consider the scope of cover they are willing to provide and review policy wordings prior to full implementation of the ECCTA in 2025. Holding organisations liable for fraud committed by ‘associated persons’ extends an organisation’s liability beyond just the activities of directors and officers. We also anticipate extensive debate as regards the definition of an ‘associated person’ and whether they are an ‘Insured Person’ under the policy terms and conditions.  The definition of an insured person is usually already broad in D&O policies, as it will play a key role in determining coverage. Insurers will need to evaluate whether they currently do – or wish to – extend coverage to associated persons and price accordingly.

Insurers should also examine the company’s internal fraud prevention procedures before offering cover.

Other Provisions of the ECCTA

Whilst the failure to prevent fraud offence has attracted a lot of attention, the ECCTA also introduces additional changes which are likely to impact companies, directors, employees and their insurers.

There are new requirements for all directors (and anyone filing on behalf of a company) to be ID-verified and for companies to notify the registrar whenever a director is appointed. Until these requirements are fulfilled, individuals will be prohibited from acting as directors. Breach of these requirements constitutes an offence not only by the director, but also by the company for allowing it.

Companies House has also been granted a swathe of additional powers in order to ensure accuracy of information and compliance in delivering documents. Importantly, this includes the potential for the registrar to directly impose financial penalties of up to £10,000 for non-compliance. These additional powers mean that directors and officers will be under additional scrutiny to ensure that corporate filings and activities are conducted properly, as they will face direct liability for any failings to do so. These additional powers and restrictions are very likely to lead to further claims against D&O policies in future.

The Act also extends the investigatory powers of the Director of Public Prosecutions, including the ability to serve disclosure notices on individuals or corporate bodies compelling cooperation with investigations by producing documents or answering questions. We expect that there will be more notifications and claims under the policy for these associated investigation costs (and disputes about whether they fall within the scope of the investigation costs clause in the D&O policy).

Prior to the Act’s introduction, organisations could only be held jointly liable for offences committed by ‘the directing mind and will’ of an organisation. Now, however, the ECCTA introduces into legislation the common law ‘identification doctrine’, whereby a company can be held criminally liable where a ‘senior manager’ commits an economic offence whilst acting with the actual or apparent authority of that company. The definition of senior manager is also purposefully broad, and a close evaluation of an individual’s actual role and responsibility is required. This is a significant change that applies to almost all companies and partnerships (and is not subject to company size or turnover criteria).

This article was first published by Insurance Day on the 13 November 2024.