Among other reforms, the ECCTA introduces:

• A new offence of failure to prevent fraud ("the FTP Fraud Offence"), which will come into force on 1 September 2025.
• An expansion of the way in which a wide range of criminal conduct of individuals will be attributed to, and create liability for, companies ("the Identification Doctrine"). 

The FTP Fraud Offence

The FTP Fraud Offence is intended to make it easier to hold certain organisations accountable for fraud committed by employees. It sits alongside the existing law on fraud, meaning that the person who committed the fraud may be prosecuted individually as well as the company being prosecuted for failing to prevent it. 

However, it applies only to large companies or partnerships ("a Relevant Body") which fulfils at least two of the following criteria:

• Has more than 250 employees.
• More than £36 million turnover, and/or.
• More than £18 million in total assets.

The FTP Fraud Offence will be committed where employees or other 'persons associated' commit fraud with the intention of benefiting the Relevant Body or their clients. It is not necessary for there to be any evidence that the Relevant Body knew of, suspected or supported the fraud.

In addition to employees, others that will be considered a 'person associated' to the Relevant Body include agents, third party service providers, contractors, suppliers, subsidiaries and employees of subsidiaries.

The Relevant Body will not commit the FTP Fraud Offence where it has in place ‘reasonable’ fraud 'prevention procedures’. Guidance on this has been published by the government based on six principles: 1) top level commitment; 2) risk assessment; 3) proportionate risk-based prevention procedures; 4) due diligence; 5) communication (including training); and 6) monitoring and review.

These principles are intended to be flexible and outcome-focussed. What will be appropriate and proportionate fraud prevention measures to implement will vary greatly depending on the type of business and risk of fraud to that business.

If convicted of the FTP Fraud Offence, an organisation may be liable for an unlimited fine, public censure, a criminal record and debarment.

Expansion of the 'Identification Doctrine'

Previously, it was generally necessary for an individual to be the 'directing mind' of a company before their criminal conduct in the course of their work could be attributed to a business to render that business criminally liable ("the Identification Doctrine"). This will generally be a director or equivalent.

The ECCTA extends the reach of the Identification Doctrine so that where 'senior managers' commit specified offences (including but not limited to money laundering, bribery, fraud offences, terrorist financing, theft offences, offences relating to financial services and offences relating to criminal property) whilst acting within the scope of their authority or purporting to act within the scope of their authority, then the organisation may also be found guilty of the offence. Who might be considered a ‘senior manager’ is broadly defined and may potentially include department heads, for example.

Impact on businesses

Organisations should be taking steps to mitigate the liability risks that the ECCTA presents, particularly ahead of the FTP Fraud offence coming into force in September 2025.

Most importantly, risk assessments should be reviewed and, if necessary, refreshed with specific reference to the fraud issues that the organisation could be exposed to and the risk of offences being committed within the scope of an individual's authority in the course of business.

Based on the results of that assessment, the following steps might be considered:

• Review financial crime and anti-fraud policies and procedures, including financial controls and authority limits.
• Provide training for those in positions which might present the highest risk.
• Increase the scope of necessary due diligence on third parties.
• Review and implement anti-fraud contractual provisions for third parties.
• Implement a system to regularly review and verify the implementation and efficacy of all internal systems and controls.

Considerations for D&O insurers

This is the latest in a number of legislative changes that seek to make it easier for companies and/or their directors to be held accountable for their actions. The introduction of the FTP Fraud Offence is anticipated to lead to an increased frequency of investigations into companies and their practices. On publication of the guidance, Nick Ephgrave (Director, Serious Fraud Office) said "time is running short for corporations to get their house in order or face criminal investigation".

With the above in mind, and although the FTP Fraud Offence is an offence by the company, some D&O policies may respond to such investigations, including in circumstances where directors are required to attend hearings, or respond to requirements to provide information or documents, or to attend compulsory interviews.

Where companies are found guilty of the FTP Fraud Offence, there may be increased scrutiny of directors responsible for ensuring reasonable procedures are in place to prevent fraud. Directors that fail to ensure that such procedures are in place and/or ensure that they are appropriate and proportionate, taking into account the risks presented, could face claims by the company for any losses that result from such failings.