The trend of new ‘failure to prevent’ corporate criminal offences continues with The Economic Crime and Corporate Transparency Act (ECCTA) and Worker Protection Act (WPA).
In the UK there is an increasing tendency to make employers responsible for employee misconduct. This has been the case for centuries in civil law, with the doctrine of vicarious liability; an employer will always be the main target if their employees are negligent and cause damage.
It has also been possible for a company to directly have criminal responsibility (e.g. corporate manslaughter, which became an offence in 2008 to make sure that companies and other organisations can be held properly accountable for very serious failings resulting in death).
However, for the most part, to hold a company criminally liable, it has been historically necessary for the prosecution to prove that a person who was the ‘controlling mind’ of the organisation was personally responsible for the offence (known as the ‘identification doctrine’).
What are ECCTA and WPA?
Since 2010 there have been a raft of new, strict liability ‘failure to prevent’ criminal offences entered into the statute book, which are specifically designed to make companies the policemen of their own employees. ‘Strict liability’ essentially means that there is no need to prove any intent to commit the offence; the mere act or commission of the offence suffices.
Under Section 7 of the Bribery Act 2010, a commercial organisation is liable to prosecution if a person associated with it bribes another person in order to obtain or retain business or an advantage in the conduct of business for that organisation. The company doesn’t need to have intended the bribery, or even been aware that it happened – the mere fact that the bribery took place all it takes to land the company a criminal charge. A similar offence of failure to prevent tax evasion was created by the Criminal Finance Act 2017.
The latest corporate ‘failure to prevent’ offence – failure to prevent fraud – has been known about since the Economic Crime and Corporate Transparency Act 2023 (ECCTA) was passed. However, it has only recently been announced when this offence will actually take effect – from 1st September 2025.
This latest strict liability offence (ECCTA Section 199) is perhaps the most far-reaching and potentially problematic yet for companies, given that it is estimated that fraud represents approximately 40% of all crimes committed in the United Kingdom.
Gavin Tagg, SVP Associate General Counsel at Accurate Background
Who has to follow ECCTA and WPA?
Fortunately, this only applies to large organisations, where the organisation has any 2 of the following three attributes:
- >250 employees
- >£36M turnover
- >£18M assets
Also, as expected, companies will have a full and complete defence to any prosecution provided that they have taken sufficient reasonable and proportionate measures to ensure that their employees and associates do not commit fraud in order to benefit the company. However, companies now have only 6 months to follow the government’s guidance to embed these measures, to ensure that they are sufficiently well-armed to avoid prosecutions.
As with the previous failure to prevent offences relating to bribery and tax evasion, the guidance sets out the core principles that underpin reasonable fraud prevention procedures. These are:
- Top level commitment – sign-off at director level of the documented risk assessment, fostering a culture of zero tolerance for fraudulent/dishonest activity for financial gain.
- Risk assessment – to deep dive the possibility of fraud in the organisation, ensure this is documented, covering all types of enterprise risk that may be encountered that is specific to the business.
- Proportionate risk-based prevention procedures – this depends upon the nature, scale and complexity of the relevant body’s activities, and control that can be exercised.
- Due diligence – taking a risk-based approach, in respect of all employees and suppliers who perform services on behalf of the relevant body.
- Communication (including training) – to ensure that prevention policies and procedures are communicated, embedded and understood throughout the organisation.
- Monitoring and reviewing – continual periodic review of the prevention plan, to assess the effectiveness of the current procedures, and identify enhancements as appropriate.
- All companies should already have a similar risk assessment, policy and process in place for bribery and tax evasion risks – now is the time to ensure that fraud risk is included in the reckoning.
What else is happening in this space?
As if this new offence was not enough for employers to grapple with, ECCTA Section 196 reformed the identification doctrine as it applies to certain economic crimes. It is no longer necessary to prove that it was the ‘controlling mind and will’ of the company that caused the offence; essentially, the fraudulent actions of a senior manager will be sufficient to land the company with primary corporate responsibility for an economic crime. This does not solely apply to ‘large’ companies; that is basically the point, because the identification doctrine was unworkable when it applied to large, complex organisations with decision makers at multiple levels.
Finally, another ‘failure to prevent’ law was recently passed in the UK, by way of the Worker Protection (Amendment of Equality Act 2010) Act 2023 (which became effective in October 2024). The UK Equality Act 2010 was amended, to place a new duty on UK employers to take reasonable steps to prevent sexual harassment of employees.
Whilst not a criminal offence, this marks another significant shift in obligation from the individual toward the employer, in order to challenge inappropriate conduct in the workplace. If an employer can not demonstrate that it has reasonable policies, procedures and training programs in place within their organisation that are designed to stamp out sexual harassment, this could potentially lead to a 25% uplift in damages if the employee succeeds in a claim of sexual harassment. There may well be many organisations which require a significant culture shift – as can be seen with the recent sexual harassment scandal at Foxtons estate agency – if such additional costs are to be avoided.
What can companies do to protect themselves?
With all these liabilities in mind, it has never been more important for companies to do everything in their power to ensure that their workforce is made up of the ‘right stuff’ and that bad actors are weeded out at the earliest opportunity. One quick win for a company to prove that they are in fact taking sensible and proportionate risk-prevention steps in respect of the integrity of the people that they hire, is to point to a background screening regime – both at the point of hire, and at regular subsequent intervals – which is tailored to the company’s risk points in respect of bribery, tax evasion and fraud by its employees and associates. It is likely that the new UK Employment Act will do away with the current two-year minimum employment period required to secure employment rights such as protection from unfair dismissal, instead imposing a reduced probation period (estimated 6-9 months). With employment rights solidifying in this way, companies should be doing whatever they can to ensure that they hire the right person first time.
How to use screening to protect your employees and reputation
Really, it’s about protecting your employees [as a duty of care!] but also the business from a damaged reputation or legal issues. The WPA has a preventative duty around the workplace, which must include safer reporting of incidents. The WPA has already been in effect for several months now; this includes:
- Management training for incident handling
- Making sure code of conduct is clearly communicated
- Safe reporting process for individuals
When it comes to vetting, companies should:
- Review their screening policy regularly
- Conduct rechecks [just because someone was clear when hired, does not mean that does not change throughout their career; and without checking you might not be aware]
- Really think about what checks might bring to light any new information.
Meanwhile, ECCTA introduces several penalties for failing to prevent fraud. The main focus is within the Financial Services, Legal, and Professional Services industries, but it does extend beyond these as any large organisation will need to have robust fraud prevention.
There is ‘no one size fits all’ approach; it depends on the company, their industry, and what they do. Your main consideration should be risk mitigation, confirming someone’s ID but also identifying any information which might have damaging implications on the organisation and their employees. Some common checks include:
- Social Media [ECCTA & WPA]
- Adverse Media [ECCTA & WPA]
- Employment checks [ECCTA] – especially with instant employment solutions like Konfir, which help identify fraud more efficiently
- Criminal checks [ECCTA & WPA]
- CIFAS [ECCTA]
- Directorships [ECCTA] – post COVID, ‘side hustles’ have become prevalent, and Gen X tend to have side jobs, so this check can bring much to light
If you’d like to chat to one of our experts about how to stay compliant with ECCTA and WPA, please get in touch at UKenquiries@accurate.com.
