Hostname: page-component-745bb68f8f-b6zl4 Total loading time: 0 Render date: 2025-02-10T00:45:39.721Z Has data issue: false hasContentIssue false
  • English
  • Français

Corporate criminal liability under the Economic Crime and Corporate Transparency Act 2023

Published online by Cambridge University Press:  07 February 2025

Jeremy Horder Open the ORCID record for Jeremy Horder [Opens in a new window]
Jeremy Horder*
Affiliation:
London School of Economics, London, UK
*
Email: [email protected]
Rights & Permissions [Opens in a new window]

Abstract

The passage into law of the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) marks the first time that Parliament has made significant changes to the common law principles of corporate criminal liability. First, for fault-based crimes, the ECCTA 2023 extends the common law practice of identifying a company with the criminal acts of its directors. By virtue of section 196 of the Act, a company may now also be identified with fault-based criminal acts engaged in by its ‘senior managers’ below directorial level. Secondly, the ECCTA 2023 creates a new corporate offence of failing to prevent fraud, although this may be committed only by so-called ‘large organisations’. I argue that the first of these reforms was not properly thought through, and that it should in any event have been made largely redundant by giving wider scope to the second of these reforms. An opportunity was missed in the ECCTA 2023 to make a failure-to-prevent serious crime a more generally applicable principle of corporate criminal liability.

Keywords

corporate crimefailure to prevent crimeidentification doctrine
Type
Research Article
Information
Legal Studies , First View , pp. 1 - 16
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press on behalf of The Society of Legal Scholars

Introduction

The Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023), which received cross-party support in its journey through Parliament, has ambitious aims:

to prevent organised criminals, fraudsters, kleptocrats and terrorists from using companies and other corporate entities to abuse the UK’s open economy…to strengthen the UK’s broader response to economic crime … [and to] support enterprise by enabling Companies House to deliver a better service for over four million UK companies ….Footnote 1

I will focus on one key aspect of the second aim, the strengthening of the UK’s response to economic crime. My concern will be with what is a rare intervention by Parliament in the development of general principles of criminal liability, an intervention that – equally unusually – applies to the whole of the UK. Alongside the introduction in section 199 of the ECCTA 2023 of a new, specific corporate offence of ‘failing to prevent fraud’ (with a bespoke defence that a company had reasonable prevention procedures in place to prevent fraudFootnote 2), section 196 of the same Act has extended the reach of corporate criminal liability in relation to fault-based economic crimes more generally. My argument will be that these reforms are half-hearted, and founded on conceptual confusion.

The extended reach of corporate liability for economic crimes created by section 196 falls between two stools. On the one hand, it effectively creates a kind of vicarious corporate liability for fault-based crimes such as fraud. The doctrine of vicarious corporate liability, familiar to US lawyers,Footnote 3 has historically been applied only to no-fault strict liability offences in the UK.Footnote 4 The doctrine traditionally involves the automatic attribution of criminal liability to a company when, in the course of their employment, an employee – no matter how low in status – commits a criminal offence.Footnote 5 On the other hand, by way of contrast with the position in the US,Footnote 6 and with the position in relation to no-fault offences in the UK,Footnote 7 the scope of this new form of vicarious corporate liability is limited by the ECCTA 2023 to the criminal activity of a firm’s ‘senior managers’ (the definition of which is considered below). However serious it is, a fault-based crime committed by a lower ranking employee (below senior manager) will not automatically be attributable to the company, even if the crime was intended to benefit the company. Why not? The limitation in the ECCTA 2023 has been guided by principles associated with a quite different doctrine of corporate criminal liability in English law. This is the ‘identification’ doctrine.

Perhaps influenced by the German company law distinction between persons who are ‘organs’ of a company and persons who are mere corporate ‘agents’,Footnote 8 the identification doctrine was developed by the courts to determine when a company itself commits a fault-based crime. In that regard, unlike the doctrine of vicarious liability, it is not ostensibly concerned with when a crime committed by a separate person can simply be attributed to the company.Footnote 9 In Tesco Supermarkets Ltd v Nattrass,Footnote 10 Lord Morris explains the key question under the identification doctrine in this way: ‘When is some act the act of the company, as opposed to the act of a servant or agent of the company?’Footnote 11 In this context, the importance of the identification doctrine, as explained by Lord Morris, is that when a crime involves a fault element, such as fraud, the company must be shown to have committed that crime itself. Until the ECCTA 2023, the only persons regarded under the identification doctrine as the embodiment of the company, and hence whose fault-based crimes are ipso facto committed by the company itself, have been the company’s directors.Footnote 12 It is this rule which is changed by section 196. As I have just indicated, the change involves a modest extension to the range of persons who are to be treated as the embodiment of the company, to include its ‘senior managers’ (whether or not directors). Henceforth, when a non-director senior manager (acting within the actual or apparent scope of their authorityFootnote 13) commits a fault-based crime, it is also to be regarded as the company’s criminal act. The senior manager is regarded as, in that respect, the embodiment of the company. That is so, even though senior managers, unlike directors, may be mere employees having no constitutional role within the company at all. As we will see, outside the regulated sector where certain individuals must be designated as ‘senior managers’,Footnote 14 there are few criteria for determining who is (apart from a director) to count as a ‘senior manager’ within a firm. That poses a rule-of-law problem, in terms of lack a certainty over when a company itself stands to be convicted of a fault-based crime when one of its significant employees commits such a crime. That lack of certainty, in turn, stems from a deeper theoretical ambiguity about the 2023 reforms, and about the meaning of the identification doctrine, considered in section 2 below.

Let me now turn to the introduction of an offence of failing to prevent fraud, in section 199 of the ECCTA 2023. Whilst that change is long overdue,Footnote 15 the Act makes no effort to harmonise the provisions of this new offence with the existing corporate offence of failing to prevent bribery, or even with the new extended form of general corporate criminal liability in section 196. That creates unnecessary uncertainty and complexity. Moreover, in an effort to avoid regulatory burdens on the vast majority of (smaller) businesses,Footnote 16 the failure-to-prevent fraud offence is, unlike other existing failure-to-prevent offences, confined to ‘large organisations’ under the Companies Act 2006.Footnote 17 In itself, that restriction breaches what ought to be a general criminal law principle: that if wrongdoing is worthy of criminalisation, then that wrongdoing should in principle be criminal whether it is committed by the weak or the strong, and when it is committed by the economically insignificant as well as by the economically powerful. A small firm is perfectly capable of either committing or failing to prevent a massive fraud, as in some instances of so-called startup company frauds.Footnote 18 All in all, an opportunity was missed by the ECCTA 2023 to put corporate criminal liability on a theoretically and practically sounder (and more comprehensive) footing.

1. The ECCTA 2023 in theoretical context

Before embarking on detailed consideration of the points made in the introduction above, we should consider the roads not taken, and the path that led to the 2023 reforms. It is trite law that a company may be regarded as in an important sense a ‘myth and a fiction’,Footnote 19 a ‘legal abstraction’,Footnote 20 ‘mere machinery’,Footnote 21 or ‘an abstract conception’.Footnote 22 As Lord Hoffmann put it, ‘There is in fact no such thing as the company as such, no ding and sich, only the applicable rules [of attribution]’.Footnote 23 We can call this the conception of a company as a ‘formal legal’ entity. On the one hand, so to conceive of a company might suggest that a company is not a fit subject for criminal liability at all, lacking moral agency.Footnote 24 On the other hand, to conceive of a company in such terms might superficially appear liberating, in criminal law terms. If a company is not a moral agent, then perhaps the constraints on criminalisation ordinarily applicable to moral agents – in particular, a bar on imposing vicarious liability for stigmatic (fault-based) crimes – do not apply? The latter line of thinking has been adopted in the US Federal law, where justifications for imposing criminal liability on companies have frequently been largely instrumental in character. For example, in affirming that a company could be held vicariously criminally liable for fault-based crime, in New York Central and Hudson River Railroad Company v US,Footnote 25 Justice Day said:

[W]e see no good reason why corporations may not be held responsible for and charged with the knowledge and purposes of their agents, acting within the authority conferred upon them … If it were not so, many offenses might go unpunished and acts be committed in violation of law where, as in the present case, the statute requires all persons, corporate or private, to refrain from certain practices, forbidden in the interest of public policy.Footnote 26

Some English criminal law theorists have advocated that English law take a broadly similar approach. For example, GR Sullivan has argued in favour of a model of vicarious criminal liability for companies (albeit with a due diligence defence), in part on the grounds that, ‘[t]here is no conceptual basis for a retributivist response to corporate illegality and no basis … for the claim that corporations are substantive moral agents which may perpetrate specifically corporate wrongs’.Footnote 27 Partial vindication of his approach might now seem to have come, in the form of a proliferation of failure-to-prevent offences such as those created by section 199 of the ECCTA 2023, although it is important to keep in mind that failure-to-prevent offences are offences in their own right, and not instances of vicarious liability, even though liability is triggered by the occurrence of the predicate offence.Footnote 28

However, English law has traditionally been slower to throw off the side-constraints on criminalisation traditionally imposed by morality, simply because it is a company that is on trial. In Tesco Supermarkets v Nattrass,Footnote 29 Lord Morris remarked:

In general, criminal liability only results from personal fault. We do not punish people in criminal courts for the misdeeds of others. The principle of respondeat superior is applicable in our civil courts but not generally in our criminal courts.Footnote 30

In a way, thus, the identification doctrine can be considered to be the product of an argument for traditional constraints on (corporate) criminalisation that is a moral argument ‘by proxy’. Company directors are moral agents and so, if a company’s acts are identified with the acts of such persons, then the same (moral) constraints on criminalisation will apply to the company as apply to its directors.

Even so, this justificatory path to the moralisation of corporate criminal liability has in-built limitations. As I will argue in section 3 below, one reason that only the acts of company directors have traditionally been regarded as identified with the company is that only directors have supreme executive authority under a company’s constitution.Footnote 31 The criminal law’s moralised understanding of the company, as a formal legal entity, is thus allied to a conception of it as what might be called an entity led by a ‘supreme authority’, a conception derived from the constitutional building blocks of a company set down in the Companies Act 2006. This is an entity wherein supreme executive authority rests with one or more persons (the directors), whose ultimate responsibility it is to account to the outside world (including regulatory and prosecutorial authorities) for the company’s conduct.Footnote 32 It follows that if, as now happens in virtue of section 196 of the ECCTA 2023, a company’s acts may be identified with non-director ‘senior managers’, then the moral argument ‘by proxy’ for corporate criminal liability is weakened. That is because it has become detached from the conception of the company as an entity led by a supreme authority. Senior managers may be moral agents, but they are – just like any other employee – answerable for their conduct, qua managers, to a higher authority within and not external to the company. So, in being fixed with liability for the crimes of senior managers, companies, as entities led by a supreme authority, are being made vicariously liable for the actions of their employee senior managers: an outcome a moralised account of corporate wrongdoing is meant to avoid.

The extension of a company’s identity to include ‘senior managers’ has been endorsed by Celia Wells, whose path-breaking work has done much to shape the course of scholarly argument, and ultimately legal reform.Footnote 33 However, in common with a number of other scholars, her main focus has been a quite different way of seeking to ‘moralise’ the company, for the purpose of justifying criminalisation. A number of scholars have sought to do this by changing the understanding of a company underpinning the moralisation. Instead of relying on a Weberian, bureaucratic conception of a company as a ‘formal legal’ entity or an entity with a ‘supreme authority’, influential academic theorising (and some examples of criminal law creation under statute) has sought to construct a moralised system of corporate criminal responsibility by reference to companies as so-called ‘real’ entities.Footnote 34 Company law theorist Eva Micheler explains the idea of a company as a ‘real entity’ thus:

[F]irms … are more than the sum of the contributions of their participants. They also act independently of the views and interests of their participants. This occurs because human beings change their behaviour when they act as members of a group or an organization. In a group we tend to develop and conform to a shared standard. When we act in organizations habits, routines, processes, and procedures form and a culture emerges. These take on a life of their own affecting the behaviour of the participants.Footnote 35

On this view, companies are much more than just formal legal entities. Instead, they are characterised by their ‘real’ lives: their routines, procedures, and culture. As Wells put it, ‘internal structure and culture affect a company’s actions’, and so, ‘an act is corporate not only because of its form, but because of the policy it instantiates, displays or manifests’.Footnote 36 Section 12 of the Australian Criminal Code Act 1995 sought to give legislative expression to this idea. Under section 12, a company will be found to have culpably (intentionally or recklessly) committed an offence if it authorised or permitted its commission; and the company may be found to have authorised or permitted the commission of an offence if, amongst other things, ‘a corporate culture existed within the body corporate that directed, encouraged, tolerated or led to the non-compliance with the relevant provision’.Footnote 37 More recently, in a similar vein, Elise Bant has argued that it is possible to infer corporate intention to offend, and not merely reckless or negligence toleration of offending, in the operation of systems and processes that lead employees to engage in wrongdoing.Footnote 38

A key feature of many of these accounts (Celia Wells’ account is an exceptionFootnote 39) of the moralised basis of corporate criminal responsibility is that they focus on aspects of a company as a real entity that point solely to inculpation, rather than to exculpation. In other words, dysfunctional or corrupted aspects of a firm’s procedures, processes and culture, that explain why an act of wrongdoing occurred, are taken as evidence of culpable corporate states of mind such as intention or recklessness in relation to the commission of that wrongdoing. In making such arguments, adherents of real entity theories of corporate culpability fail to convince. To begin with, what if the dysfunctional or corrupted aspects of procedures, processes or culture were, even if they shed light on the offending, very much a minority, ‘counter-cultural’ presence in a firm that was otherwise one that adhered to high standards? If liability is still imposed on the firm in such circumstances, it is unclear how this meets the demand that criminal liability must involve so-called ‘fair labelling’: the demand that an offence properly represent the involvement of the person convicted.Footnote 40 For that reason, Wells suggests that a firm ought to be able to resist liability, in such circumstances, if it can show that the offending was ‘against established internal policy’;Footnote 41 but that point takes us back to the question of (supreme) authority: ‘established’ at what level within the firm?

In its paper that formed the basis for the ECCTA 2023 reforms, the Law Commission rejected a ‘real entity’ basis for inculpation,Footnote 42 and this rejection reflects a more fundamental difficulty with such a basis for inculpation. The existence of a system, procedure, process or culture is an ongoing ‘state of affairs’ (be it good or bad), and is as such acausal in nature. It has no status or identity as a unique act or omission taking place at a moment in space-time. Yet, many serious crimes, such as fraud or bribery, require proof of their manifestation as an ‘act-token’, a causally significant, unique space-time particular. The existence of a given system, procedure, process or culture within a company qua real entity cannot be, then, constitutive of an act in space-time associated with it (such as fraud), even though that procedure, process or proof may very well explain why such an act came to be engaged in. By contrast, evidence of a ‘state of affairs’ constituted by (sound) procedures, processes and culture can be potent exculpatory evidence,Footnote 43 a point reflected in the Government’s formal guidance on the exculpatory defence – to the offence of failing to prevent fraud – of ‘reasonable (fraud prevention) procedures’.Footnote 44 That is because evidence of such a state of affairs is evidence that certain ‘types’ of action – bribery; fraud; dangerous conduct – have been made by management to seem unacceptable to (most) company employees, or at least significantly harder to commit undetected. When management has achieved this state of affairs, then making it a legal ground for exculpation provides an incentive for other firms to do likewise, rather than expending their efforts instead on covering up offending, or seeking to put all the blame on the individual offending employee. As we will see, an anomaly in the ECCTA 2023 reforms is that they follow through on this point with a reasonable prevention procedures defence in relation to the section 199 offence of failing to prevent fraud and related offences, but not in relation to extended liability under section 196.

2. Extended corporate criminal liability under the ECCTA 2023

Section 196(1) of the ECCTA 2023 provides that:

If a senior manager of a body corporate or partnership (‘the organisation’) acting within the actual or apparent scope of their authority commits a relevant offence … the organisation is also guilty of the offence.

In relation to the concept of a ‘senior manager, ‘section 196(4)(c) provides that:

‘Senior manager’ in relation to a body corporate or partnership, means an individual who plays a significant role in – (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate … are to be managed or organised, or (b) the actual managing or organising of the whole or a substantial part of those activities.

These reforms stem from a recent examination of the issues by the Law Commission, in the course of which the Commission set out the ‘senior manager’ provisions as one of a series of options for reforming the traditional basis for attributing fault-based crimes to companies.Footnote 45

As we have seen, prior to the ECCTA 2023, only persons with ‘directing mind and will’ status (company directors) were persons whose words and actions were identified with the company and hence were regarded as the words and actions of the company itself;Footnote 46 and the common law insisted that, with fault-based crimes, the prosecution show that all the elements of the offence (be they culpable words or actions) were identified with the company in this sense. So, for example, in order for a company to be convicted of fraud, contrary to section 2 of the Fraud Act 2006 (a fault-based crime), the traditional version of the identification doctrine required any false representation dishonestly made to have been made by someone at directorial level, acting within the scope of their authority.Footnote 47 The making of such a false representation by any other person in the company, no matter how high-ranking, would not – unless someone with directing mind and will was complicit in its making – implicate the company itself. Once the identification doctrine became authoritative at common law, older cases in which a fraud perpetrated by a senior manager (below board level) in the course of their employment was attributed to the company, were no longer regarded as sound in law.Footnote 48 Accordingly, section 196 will, in all probability, have the effect of producing a different outcome in cases with facts such as those in the well-known case of R v Andrews Wetherfoil. Footnote 49

In that case, a company’s managing director, a ‘technical’ director and the manager of a housing division had been involved in corrupt contractual dealings. The question was whether that meant their company was also guilty of corruption. The Court of Appeal quashed the company’s conviction, holding:

It is not every ‘responsible agent’ or ‘high executive’ or ‘manager of the housing department’ or ‘agent acting on behalf of a company’ who can by his actions make the company criminally responsible. It is necessary to establish whether the natural person or persons in question have the status and authority which in law makes their acts in the matter under consideration the acts of the company so that the natural person is to be treated as the company itself.Footnote 50

The outcome would in all probability now be different, in such a case, in that it is likely that the managing director, the technical director, and even the manager of the housing division, would all be regarded in law as ‘senior managers’, in accordance with the definition given above.

In broad fair labelling terms, you might think it plausible to suppose that if (say) a firm’s regional manager engages in fraud or corruption to benefit the company, the company itself should also be regarded as committing those crimes through the manager’s acts; but that conclusion may be doubted. Consider this possibility. It is trite law, both in the UK and the US, that an employee may still be regarded as acting within the scope of their employment (and to benefit the company) even if the action in question was contrary to company policy or to their superior’s orders.Footnote 51 So, suppose that a senior manager (such as one of those in Andrews Wetherfoil), acting within the scope of their authority, engages in corruption to win business for their company; but, the board of directors not only knew nothing of the manager’s intentions, but had also recently reaffirmed to all managers the company’s long-standing commitment to ‘zero tolerance’ of corruption in any form. In such circumstances, whether or not the senior manager is acting within the scope of their authority, is it really fair to label the company itself as guilty of corruption, in virtue of the manager’s actions? The common law’s former focus on directors, whatever its limitations (explored in due course), was designed to avoid this problem. As indicated above, that is because such a focus was meant to ensure that, in committing a crime, a director would not be betraying a higher authority within the company.Footnote 52 In Tesco v Nattrass, Viscount Dilhorne put it this way, in defining a senior officer (director) who could be identified with the company, by contrast with other people within it, such as employees, however high-ranking:

A person who is in actual control of the operations of a company or of part of them and who is not responsible to another person in the company for the manner in which he discharges his duties in the sense of being under his orders cannot be regarded as ‘another person’ [separate from the company]…Footnote 53

There is a further reason why it may be regarded as unfair to saddle a company with liability for the acts of (errant) senior managers. This is a reason that comes in part from a point alluded to at the start: the failure to align the aims of section 196 with the aims of failure-to-prevent offences.

Under section 7 of the Bribery Act 2010, a company may be found criminally liable for a failure to prevent bribery, if bribery is committed by someone associated with the company (whatever their status) in order to benefit the company. That, of course, is precisely what has happened in the hypothetical example given aboveFootnote 54 (and indeed, in Andrews Wetherfoil). Suppose, then, that someone associated with a company,Footnote 55 no matter what their status within the company, has committed bribery in order to benefit the company. It is in a way hard to imagine a more appropriate and fitting label for the company’s involvement than to say that it failed to prevent the bribery, especially in circumstances in which it had taken no steps (or only ineffectual steps) to prevent such a thing happening. However, as a result of section 196 of the ECCTA 2023, the clear picture in point of labelling provided by this legal position has become obscured. We now have to accept that, in a case where the person associated with the company who committed the bribery was someone the court rules to have been engaged in (for example) ‘managing a substantial part of [the company’s] activities’, the company itself is guilty of that self-same bribery. That is an unsatisfactory situation.

It is unsatisfactory for two main reasons. First, failure-to-prevent offences come with a complete defence that the company had in place at the relevant time adequate or reasonable crime-prevention procedures. No such defence applies to a company charged with an offence based on the application of section 196, even though the most senior people in the company may have been just as much in the dark about the commission of the offence by a subordinate senior manager in this instance, as when a failure-to-prevent offence applies.Footnote 56 Section 196 thus creates a seemingly paradoxical situation. A company can be said to have been intentionally engaged in active corruption, fraud, or another fault-based crime (through the actions of a ‘senior manager’), at exactly the same time as, at the highest level, it earnestly and wholeheartedly disassociated itself from and disavowed such conduct. Section 196 thus creates a perverse incentive to cover up crime of all kinds committed by senior managers, so that the company will not be found to have committed the crimes itself, whilst (with the failure-to-prevent offences in mind) also enforcing procedures to prevent fraud or bribery being committed by lower-level employees.Footnote 57 Secondly, the vagueness of the definition of ‘senior manager’ creates uncertainty concerning the scope of companies’ direct liability for substantive offences, undermining any claim that a company is fairly labelled as an offender in its own right when a senior manager acting within the scope of their authority commits the offence.

The Law Commission acknowledged, in relation to its consultation on the issue, that ‘the majority of respondents thought there was no merit in the Canadian and Australian identification principles which attribute corporate criminal liability when a member of the senior management has the requisite fault’.Footnote 58 Nonetheless, the Law Commission concluded in relation to the definition of ‘senior manager’ that:

It would not usually capture someone whose role was limited to management of a discrete unit – such as an individual store – which does not represent a substantial part of the company’s affairs. However, where that operation did represent a substantial part of the company’s activities, it would be captured. To take one instance, if a media company’s affairs consisted of the publication of two newspapers, each publication could be ‘a substantial part’ of the affairs of the company, and accordingly each publication’s senior management would be caught by the expanded definition.Footnote 59

The difficulty with such speculation is how little concrete guidance it is capable of providing. In the example given, the chief editor-manager of each of two newspapers might, as the Law Commission suggests, be regarded as in charge of a ‘substantial part’ of the company’s affairs; but would the position really be so different if the company owned a string of local newspapers, each with its own editor-manager; and if so, why? In the case of each newspaper owned by the company, the editor-manager may (ex hypothesi) have essentially the same role.

The problem lies with the fact that the definition of ‘senior managers’ representing the company itself in section 196 goes beyond persons having what might be called ‘strategic policy’ responsibilities for the company or group of companies as a whole.Footnote 60 In order to avoid a reform that might be perceived as merely tinkering at the edges of the old identification doctrine, ‘hands-on’ managers downstream (of a substantial part of a firm’s activities) are included. Such people are included, even though they may have no role whatsoever in setting the company’s overall strategy and policy, and may – depending on how the company operates – rightly see themselves largely as rule-followers, perhaps in a technical capacity, rather than primarily as rule-setters: think of someone employed to manage the running of a company’s IT. In that regard, the advantage of failure-to-prevent offences over the section 196 basis for liability is that, whatever the rank of the employee or agent associated with the company who committed the relevant crime, the company knows that it will face liability unless it had robust procedures in place to prevent such crimes. In that respect, there is an irony about section 196, given its intellectual and legislative origins. As indicated above,Footnote 61 the extension is based on corporate crime legislation in Canada, where – for example – corporate bribery of a foreign public official is committed if it is engaged in by a ‘senior officer’ of the company.Footnote 62 However, in its report on anti-bribery compliance in Canada, the OECD was critical of the effectiveness of the ‘senior manager’ version of the identification doctrine, when compared with the potential benefits of a failure-to-prevent offence.Footnote 63 Although it is scheduled to be extended to all crimes in the UK,Footnote 64 section 196 has mainly been introduced to cover, for most part, offences where it should be needed least: financial crimes to which the failure-to-prevent offences applies.Footnote 65

3. Extended liability: some unresolved theoretical problems

The introduction of the reforms effected by section 196 provides an opportunity briefly to reflect on the philosophy that underpins them. In Lennard’s Carrying Co Ltd v Asiatic Petroleum Co Ltd,Footnote 66 the case regarded as establishing the identification doctrine to govern corporate liability for fault-based offences, the company in question was a sole-director company. It is not hard to understand why, when the director of such a company engages in a criminal act of any kind, the company is ipso facto regarded as also engaging in that act. Even so, we should note the unclear theoretical basis for regarding even a sole director’s act as, in virtue of the director acting in a directorial capacity, the company’s ‘act’. The fact that such a director is an agent of the company establishes that the director’s acts will bind the company, but it does not establish that those acts are engaged in by the inanimate company itself. It seems more plausible to suppose that the so-called ‘identification’ doctrine is really just a way of severely limiting the circumstances in which a company will be held (vicariously) liable for a fault-based crime, for fair labelling reasons.Footnote 67

Implicit in the identification doctrine is the view that, if a company is rightly to be found guilty of a stigmatic offence such as fraud, the demands of fair labelling dictate that the commission of that fraud should have been committed or authorised at the highest (directorial) level. In that regard, the focus on directors can be understood as having been guided not just by considerations of certainty, but also by the constitutional role, in corporate law terms, played by such persons. So far as the running – as opposed to ownership – of a company is concerned, the need to have directors is a corporate constitutional fundamental, in a way that the need (if any) for employees, however high ranking, is not.Footnote 68 Directors have a special executive status granted to them by legislation. As we have seen, section 40 of the Companies Act 2006 says, ‘in favour of a person dealing with a company in good faith, the power of the directors to bind the company, or authorise others to do so, is deemed to be free of any limitation under the company’s constitution’.Footnote 69 There is no such legislated constitutional basis for the powers exercised by employed senior managers.

Having said that, it is now clear that the common law’s focus on directors did not necessarily escape the fair labelling problem, discussed in section 2, which arises if a company’s board is betrayed when (contrary to instructions) a senior manager commits a fault-based crime. That is because neither in Lennard’s Case nor in Tesco v Nattrass was attention paid to the situation in which an individual director might be given a specific brief by the board in relation to, say, the striking of a deal, but might – whilst remaining with the scope of their directorial powers – betray the board by committing a crime in the course of striking the deal. As Davies LJ put it, in SFO v Barclays, ‘there is no general principle that the knowledge and approval of one director is necessarily and for all purposes to be regarded as the knowledge and approval of the board of directors (and thereby of the company)’.Footnote 70 If that is true, then is there any longer a principled basis for refusing to extend a company’s liability in respect fault-based criminal acts beyond directors to include high level manager-employees? As explained in section 2, the answer to that question is that, in relation to all crimes (whether fault-based or not) committed by associated persons (whether directors, senior managers or employees), our focus should switch from the commission of the crime to the failure to prevent it. A company is fairly and appropriately labelled as having failed to prevent crime, when the failure is that of the board as a collective entity, however many directors it has and whatever their directorial status.Footnote 71 Understanding that such in-principle liability for a failure-to-prevent offenceFootnote 72 is based on a collective failure at the highest level, means that one eradicates the potential labelling problem involving in equating the acts of companies with the criminal acts of individual directors or senior managers.

Once one moves beyond the conduct of the one-person company, corporate crime is always relational in some sense. P, the perpetrator associated with the company, will be following or disobeying someone else’s instructions, or interpreting (probably wrongly) their remit in exercising a discretion conferred on them; and someone else or group of persons with oversight responsibilities will have failed to stop P committing the crime.Footnote 73 It is the failure-to-prevent model, and not the identification doctrine, that makes a relational question central to the justification for conviction. The key question becomes: ‘granted that the board of directors has a responsibility – whether or not delegated – to prevent crime committed by associated persons, and (in a given instance) failed in that responsibility, should the company be held criminally liable for that failure?’ The failure-to-prevent model is sometimes thought of as an outlying species of corporate criminal offence, a poor substitute for ever more sophisticated doctrines of identification.Footnote 74 On the contrary, one could just as easily think of ‘identification’ as the marginal case, a doctrine that works in an authentic way only in the case of the one or two-person company. On that view, the failure-to-prevent model could become the exemplar of the way in which companies themselves stand, in relation to crimes committed by all persons engaged on company business.Footnote 75 For that reason, it is section 199 of the ECCTA 2023, that extends the reach of failure-to-prevent offences, that should have been the centrepiece of the reforms, with section 196 playing no part in the reforms at all.

4. Failure to prevent fraud: too small to fail?

The introduction of an offence of failure to prevent fraud, in section 199 of the ECCTA 2023, should be regarded as a major step towards providing, for the first time, a theoretically sound basis for corporate criminal responsibility for economic crime, and for fraud and related offences in particular. The background to the creation of this offence is that the National Crime Agency claims not only that there were 3.7 million incidents of fraud in England and Wales in the year ending December 2022, but also that 86% of fraud instances are unreported or underreported, and that £2.46 billion was lost by businesses and individuals alone to fraud in the financial year 2021/22.Footnote 76 Section 199 of ECCTA 2023 now provides:

A relevant body which is a large organisation (see sections 201 and 202) is guilty of an offence if, in a financial year of the body (‘the year of the fraud offence’), a person who is associated with the body (‘the associate’) commits a fraud offence intending to benefit (whether directly or indirectly)—

  1. (a) the relevant body, or

  2. (b) any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.

The most obvious point of comparison, in analysing this new offence, is its counterpart prohibiting corporate failure to prevent bribery: section 7 of the Bribery Act 2010.Footnote 77 The most notable difference between the two offences, in that regard, is the restriction of the failure-to-prevent fraud offence to so-called ‘large organisations’, which under the ECCTA 2023 means organisations meeting two or more of the following criteria: a turnover of more than £36m, total assets of the more than £18m, and an average of more than 250 employees.Footnote 78 By contrast, section 7 of the 2010 Act applies to all relevant commercial organisations irrespective of size. In the UK, 74% of UK businesses had no employees in 2022, and over 99% of businesses were small or medium-sized businesses (SMEs), employing 0–249 people.Footnote 79 Of the 5.5 million businesses in the UK in 2022, only around 8,000 were large businesses – with 250 or more employees – representing just 0.1% of the business population, even though such businesses support 39% of jobs and nearly half of all business turnover.Footnote 80 It follows that, in relation to many key investment decisions taken by families – such as buying a car, or renovating a house – the firms such families rely on to conduct transactions ethically will be outside the scope of this offence.

The Government rejected an invitation to confine the exemption from its scope to small companies, the small company threshold being 50 employees, £10.2 million of turnover and a £5.1 million balance sheet. In explaining this decision, Kevin Hollinrake MP said:

We are very clear that we believe we have the right threshold. Larger companies clearly have the capacity and the human resources and risk compliance departments to mitigate these kinds of risks, whereas small and medium-sized enterprises are rightly much more focused on driving their business forward, which is very important to the economic health of our country. I think we have it right.Footnote 81

He also said, ‘The Government are extremely mindful of the pressures on companies of all sizes, including SMEs, and therefore do not feel it is appropriate to place this new unnecessary burden on over 450,000 businesses’.Footnote 82 It is understandable that the Government would wish to ensure that the burden of complying with what is (in fact, in not in law) a requirement to have reasonable procedures in place to prevent fraud does not outweigh the benefit of having the offence. The potential for encountering fraud, both offending and becoming a victim, is widespread throughout many sectors of the economy and by no means confined to larger firms. That provides a contrast with bribery, which is an offence that, for example, few plumbers, window cleaners, bakers or cab drivers will ever have to worry about. However, two criticisms should be made of the Government’s approach.

First, there is the general theoretical point made in the House of Lords that, if corporate failure to prevent fraud is (in the absence of reasonable procedures to prevent it) so wrong as to justify criminalisation, then that justification applies with equal force to all firms irrespective of size.Footnote 83 The use of arbitrary line-drawing between firms, based on size, to determine which firms are in scope, is to confuse the permissible kinds of limits that can be placed on criminal law with factors relevant only to regulatory intervention. Secondly, even if an exemption for smaller firms could be justified, it needs to be justified in terms of sound economics and criminology. In that regard, it seems probable that the firms most likely to find that their employees have engaged in fraud to benefit the company will be firms seeking or undergoing economic growth.Footnote 84 It follows, thus, that if there is a case for exempting a class of firms from the scope of the offence, it will be not all ‘small firms’ (those with eg fewer than 50 employees), since many such firms will be those striving for rapid growth and thus at greatest risk of encountering the use of fraud by their employees to achieve that end. Instead, the exempted class should be so-called ‘micro’ companies, with a turnover of £632,000 or less, £316,000 or less on their balance sheets, and 10 employees or fewer.Footnote 85 That is because it is overwhelmingly likely that this class of firm – forming the majority of firms in the UK – will be run either as a ‘subsistence’ or as a ‘lifestyle’ small business,Footnote 86 rather than for the purposes of economic growth. In other words, they will be run solely for the purpose of providing employment (and worthwhile activity) for an individual or family. Whilst such firms may well engage in tax fiddles, health and safety violations, and sector-specific regulatory infringements,Footnote 87 they are unlikely to be involved in the commission of large-scale fraud of the kind the provisions of the ECCTA 2023 are meant to address.

One final point should be made about the scope of the section 199 offence. By virtue of section 199(7) and (8), it is brought into play when a fraud offence is committed by an employee, agent or subsidiary (or employee of a subsidiary), or by any other person providing services for the company. In that respect, a wider range of persons are to be regarded as ‘associated’ with a (large) company when they commit a predicate offence than is the case with other failure-to-prevent offences. Even so, there is a notable set of excluded cases, created by the requirement for the associated person committing the fraud offence to have acted with the intention (directly or indirectly) of benefiting the company itself or some other person for whom the associated person provides services for the company. Consider this example:

D, a financial adviser working for C bank, dupes P, a customer with C bank, into investing in a firm privately owned by D, when P contacts D asking for the bank’s advice on investments. D, acting for personal private gain, does not disclose to P that he owns the firm in question.

In this example, it is a long-standing principle of private law that C bank may be vicariously liable in damages to P, assuming that D was acting in the course of his employment.Footnote 88 By contrast, however negligent it may have been, C bank will not be criminally liable for failing to prevent D’s fraud. That is because, in committing the fraud, D (ex hypothesi) did not act in order to benefit the bank or another person (including P) to whom D was legitimately providing services for the bank. The difference in outcome does more than illustrate a principle of parsimony at work in the imposition of criminal liability. It reveals a difference in the understanding of the ‘company’, for the purposes respectively of tort law and of failure-to-prevent offences in criminal law. Tort law regards companies as in essence a network of contracts,Footnote 89 with the result that principles of liability centre on harmful wrongdoing in the course of performing those contracts (a notion broadly construed, in scopeFootnote 90), in acting with actual or ostensible contractual authority, and so on. By contrast, the focus of failure-to-prevent fraud offences extends beyond a contractual nexus with the wrongdoer, to the presence of an intention to further the commercial objectives of the company through the wrongdoing. Accordingly, failure-to-prevent fraud offences (like their vicarious liability counterparts in the USFootnote 91) see the company in this respect as a ‘real entity’, an entity with overarching commercial plans and goals, as well as systems, culture and processes.Footnote 92 On such a view, to be fairly attributable to the company, fault-based wrongdoing on the part of an associated person must intelligibly have been related to the pursuit of these plans or goals. It is not enough merely that the wrongdoing was engaged in during the course of employment. Whether such a restrictive view of the scope of failure-to-prevent fraud proves acceptable to the public, once its implications become clear, remains to be seen.

Conclusion

Almost all statutory reform involves missed opportunities. Even so, having waited so long for parliamentary intervention to reform the principles of corporate liability, the waiting has scarcely been worth it. The impact on the level of corporate financial crime is likely to be marginal, and there is no provision for a failure-to-prevent offence applicable to companies (and perhaps also charitable bodies) when an associated person has committed a grave human rights violation.Footnote 93 There is also a muddle at the heart of the ECCTA 2023. The muddle stems from uncertainty over how to approach corporate crime when committed by firms of different sizes. In the UK today, of the 5.4 million registered businesses, 4.1 million (74%) had no employees, and 3.1 million (56%) were unincorporated sole proprietorships, almost all of which had no employees.Footnote 94 Accordingly, the vast majority of businesses will be unaffected by the reforms in the ECCTA 2023, because they do not have ‘senior managers’ apart from the directors themselves (and so will remain unaffected by the reformed identification doctrine), and because they are too small to fall within the scope of the failure-to-prevent fraud offence. By contrast micro and small businesses that do have someone who could be described as a senior manager under the ECCTA 2023 are (as under the present law) exposed to harsher treatment than larger firms. That is because such businesses may be exposed to primary liability under section 196 for economic crime through the actions of their senior managers, without having the benefit of a ‘reasonable prevention procedures’ defence. Meanwhile, whilst large firms now also face liability under section 196 through the actions of their senior managers, crucially, they – unlike smaller firms – may (and if there are problems of proof, in all probability will) be charged instead with failing to prevent a fraud offence, where a reasonable prevention procedures defence does apply. It would have been simpler and fairer to have applied the failure-to-prevent offence (with a reasonable procedures defence) to all firms, so far as economic crime is concerned.

Is the failure-to-prevent model thus the future for criminalisation of companies? That is less clear. There is nothing new about failure-to-prevent offences. For example, under section 34(1) of the Environmental Protection Act 1990, it is an offence for a relevant person to have failed to take all applicable measures as are reasonable in the circumstances to prevent any contravention by any other person of one of the main waste disposal offences, in section 33(1). Failure-to-prevent offences perform a valuable fair labelling function by linking the company to a harmful wrong done by an associated person. In the absence of such a wrong done by such a person, there is no (failure-to-prevent) crime. By contrast, 50 years ago, the Health and Safety at Work Act 1974 relied on a different model of corporate criminality: what might be called the ‘risk-management’ model, focused on a firm’s failure to ensure (so far as reasonably practicable) that people who might be affected by a firm’s operation are not exposed to risks to their health and safety.Footnote 95 On this model, whether or not a third party endures a consequential set-back to their health and safety, in virtue of such a failure, is not relevant to the commission of the offence. Broadly speaking, it is this risk-management model that has been followed in, for example, Part 5 of the Online Safety Act 2023 as it applies to major social media companies. They are now exposed to fines for systems and process failures with respect to fraudulent advertising on their platforms.Footnote 96 For example, under the 2023 Act, the largest service providers must establish proportionate processes and systems: (i) to prevent users from encountering fraudulent adverts on the platform; (ii) to minimise the length of time for which fraudulent adverts are present; and (iii) to swiftly take fraudulent adverts down where they have become aware of them or have been alerted to their presence. The focus, thus, is on the operation of the company as a ‘real entity’Footnote 97 – on systems and processes for reducing the risk that users will fall victim to fraudulent advertising – and not on liability for harm suffered by a user when falling victim to such advertising.

There may be no definitive answer to the question of which approach (harmful wrong-focused, or risk-focused) is right. However, the adoption of the risk-management model in the field of health and safety, and in relation to online protection from fraudulent advertising, reflects the important fact that both these fields are governed by expert regulatory bodies, with powers or duties proactively to advise on best practice or warn about poor practice, as well as reactively to investigate and prosecute breaches of standards.Footnote 98 A risk-management offence model is well-suited to that regulatory and preventative context. By contrast, outside the financial sector, there is no proactive duty on prosecutors to advise or warn companies, or to promote risk-minimisation generally, as opposed to reactively investigating and prosecuting (or agreeing Deferred Prosecution Agreements (DPAs)). In that regard, unless and until the Financial Conduct Authority is given regulatory responsibility for strategising the prevention of corporate economic crime generally, it is the failure-to-prevent model that best fits the current non-regulatory context, with the commission of the predicate offence setting the reactive processes in motion.Footnote 99

References

1 R Taylor Economic Crime and Corporate Transparency Bill HL Bill 96 of 2022–23 (House of Lords Research Briefing, 2 February 2023) p 2, https://lordslibrary.parliament.uk/research-briefings/lln-2023-0008/ (last accessed 16 January 2025).

2 Technically, the available defence under s 199(4) is that the company had in place prevention procedures that it was reasonable in all the circumstances to expect it to have in place. In rare instances, it might – say, for a limited time – be reasonable to have had inadequate procedures in place, as when B Company has taken over C Company, and is yet to upgrade C Company’s procedures. I owe this point to Kuldip Singh KC. Section 199(4) also makes it a defence to show that it was reasonable not to have had prevention procedures in place, a defence that is not available in failure-to-prevent bribery cases.

3 See New York Central and Hudson River Railroad Company v US, 212 US 481 (1909), imposing vicarious liability on a company for crimes (including fault-based crimes) committed by an employee or agent intending to benefit the company. For further discussion of the requirement for an ‘intention to benefit’ the company, in this context, see text at n 91 below.

4 Mousell Brothers Ltd v London and North West Railway [1917] 2 KB 836; James & Son Ltd v Smee [1954] 3 WLR 631.

5 The Law Commission rejected the adoption of such an approach to govern crimes more generally in UK law: see Corporate Criminal Liability: An Options Paper (London: Law Commission, 2022) ch 5.

6 See New York Central and Hudson River Railroad Company v US, 212 US 481 (1909).

7 See eg Coppen v Moore (No 2) [1898] 2 QB 306.

8 See the discussion in Pinto, A and Evans, M Corporate Criminal Liability (London: Sweet & Maxwell, 2nd edn, 2008) p 46 Google Scholar; DPP v Kent and Sussex Contractors Ltd [1944] 1 KB 146 at 154–155 (Viscount Caldecote LCJ).

9 Lennard’s Carrying Co Ltd v Asiatic Petroleum Co Ltd [1915] AC 705. It can, of course, be argued that the ‘identification doctrine’ is a fiction that simply conceals the fact that a company is being held vicariously liable for a crime committed by a director: see eg Sullivan, GRThe attribution of liability to limited companies’ (1996) 55(3) Cambridge Law Journal 515 CrossRefGoogle Scholar. I will come back to this point in due course.

10 Tesco Supermarkets Ltd. v Nattrass [1972] AC 153.

11 Ibid, at 178. See also the speech of Lord Diplock at 199–200.

12 Tesco Supermarkets Ltd. v Nattrass [1971] UKHL 1.

13 This phrase, used in s 196 to determine the limits to a senior manager’s representation of the company itself, is drawn from the civil law of agency, and is deeply problematic in this context, although there is no space to pursue the matter here.

14 FCA ‘Senior managers and certification regime’, https://www.fca.org.uk/firms/senior-managers-certification-regime (last accessed 16 January 2025). See also the treatment of ‘senior managers’ in the Online Safety Act 2023.

15 Wells, CCorporate crime: opening the eyes of the sentry’ (2010) 30(3) Legal Studies 370.CrossRefGoogle Scholar

16 The Government’s impact assessment for the Bill estimated the total cost of the corporate transparency and Companies House reforms at £289m. It also estimated the annual cost to businesses at £18.9m: Taylor, above n 1.

17 Meaning companies meeting two or more of the following criteria: more than 250 employees, more than £36m in turnover, and more than £18m in total assets.

18 Gleason, K et al ‘Fraud in startups: what stakeholders need to know’ (2022) 29(4) Journal of Financial Crime 1191 CrossRefGoogle Scholar.

19 Broderip v Salmon [l895] 9 Ch 323 at 330–331 and 341.

20 Continental Tyre and Rubber (GB) v Daimler Company Ltd (1916) 1 KB 893, 916.

21 Daimler and Co v Continental Tyre and Rubber Co [1916] 2 AC 307 at 316.

22 Houghton and Co v. Nothard, Lome and Wills Ltd [l928] AC 1 at 14.

23 Meridian Global Funds Management Asia Ltd v Securities Commission [1995] 2 AC 500 (HL) at 506–507.

24 See eg Wolf, SThe legal and moral responsibility of organisations’ in Pennock, JR and Chapman, JW (eds) Criminal Justice (New York: New York University Press, 1985)Google Scholar. A number of jurisdictions around the world do not recognise corporate criminal liability, preferring to govern companies through regulation.

25 (1908) 212 US 481.

26 Ibid, at 495.

27 Sullivan, above n 9, at 516.

28 An account of the conceptual foundations of failure-to-prevent offences will be found in Horder, J A Theory of Corporate Crime (Oxford: Oxford University Press, 2025)Google Scholar chs 1 and 3.

29 [1972] AC 153 (HL).

30 Tesco Supermarkets v Nattrass [1972] AC 153 at 179F. In that regard, FB Sayre remarked of vicarious liability that it ‘violates the most deep-rooted traditions of criminal law [and is] a conception repugnant to every instinct of the criminal jurist’: Sayre, FBCriminal responsibility for the acts of another’ (1930) 43(5) Harvard Law Review 689 CrossRefGoogle Scholar at 702.

31 For example, s 40 of the Companies Act 2006 says, ‘in favour of a person dealing with a company in good faith, the power of the directors to bind the company, or authorise others to do so, is deemed to be free of any limitation under the company’s constitution’.

32 Gramophone and Typewriter Ltd v Stanley [1908] 2 KB 89 (CA) at 105–106 per Buckley LJ, ‘The Directors are not servants to obey directions given by the shareholders as individuals; they are not agents appointed by and bound to serve the shareholders as their principals. They are persons who may by the regulations be entrusted with the control of the business, and if so entrusted they can be dispossessed from that control only by the statutory majority which can alter the articles. Directors are not, I think, bound to comply with the directions even of all the corporators acting as individuals.’

33 See Wells, C Corporations and Criminal Responsibility (Oxford: Oxford University Press, 2nd edn, 2001) pp 155156 CrossRefGoogle Scholar.

34 See generally Micheler, E Company Law: A Real Entity Theory (Oxford: Oxford University Press, 2021).CrossRefGoogle Scholar

35 Micheler, above n 34, p 1.

36 Wells, above n 33, pp 158 and 159.

37 Discussed by Wells, above n 33, pp 136–138. See also Coffee, JCCorporate criminal liability: an introduction and comparative survey’ in Eser, A et al Criminal Responsibility of Legal and Collective Entities (Freiburg im Breisgau, 1999) pp 9, 33.Google Scholar

38 See eg Bant, ESystems intentionality: theory and practice’ in Bant, E (ed) The Culpable Corporate Mind (Oxford: Hart Publishing, 2023) p 183 CrossRefGoogle Scholar.

39 See Wells, above n 33.

40 Chalmers, J and Leverick, FFair labelling in criminal law’ (2008) 71(2) Modern Law Review 217.CrossRefGoogle Scholar

41 Wells, above n 33, p 158.

42 Law Commission, above n 5, paras 6.39–6.41.

43 Wells, above n 33, p 159. In some instances, real entity theory can be relevant to inculpation, but just not in the way that real entity theorists currently suppose. For example, the failure-to-prevent fraud offence requires inter alia that an associated person act with an ‘intention to benefit’ (directly or indirectly) the main company or (in short) one of its customers. It is submitted that ‘benefit’ here could and should be interpreted to include the furtherance of any overarching goals integral to the firm as a evolving business concern (as a real entity), and not just benefits (say) stipulated as such in the wrongdoer’s contract. I return to this point at the end of section 3 below.

44 ‘Economic Crime and Corporate Transparency Act 2023: guidance to organisations on the offence of failure to prevent fraud’ (6 November 2024), https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta/economic-crime-and-corporate-transparency-act-2023-guidance-to-organisations-on-the-offence-of-failure-to-prevent-fraud-accessible-version (last accessed 16 January 2025).

45 Law Commission, above n 5, ch 4.

46 Lennard’s Carrying Co Ltd v Asiatic Petroleum Co Ltd [1915] AC 705. See, in particular, the speech of Lord Diplock in Tesco Supermarkets Ltd v Nattrass [1972] AC 153.

47 SFO v Barclays plc & Another [2018] EWHC 3055 (QB).

48 See for example the discussion of Moore v I Bresler [1944] 2 All ER 515, in St Regis Paper Company Ltd v R [2011] EWCA Crim 2527.

49 [1972] 1 WLR 118. The reform would also in effect reinstate the decisions in cases such as Moore v I Bresler: see above n 47.

50 [1972] 1 WLR 118 at 122.

51 Coppen v Moore (No 2) [1898] 2 QB 306; United States v Hilton Hotels Corp, 467 F2d 1000 (9th Cir 1972).

52 As we will see in section 3 below, this notion turned out to be unfounded, as illustrated by the decision in SFO v Barclays plc & Another [2018] EWHC 3055 (QB).

53 Tesco v Nattrass [1972] AC 153 at 187G–H (emphasis added).

54 See text following n 50 above.

55 Meaning someone over whom the company ought to exercise supervision. On this point, see the discussion in J Horder and G Watts ‘The scope of liability for failure to prevent economic crime’ (2021) Crim LR 851.

56 For a possible example, see SFO v Barclays plc & Another [2018] EWHC 3055 (QB). Celia Wells argues that it should be possible for a company to escape conviction for an offence even when committed by a senior manager, if the commission of the offence did not, ‘represent the practices and procedures of the corporation’: Wells, above n 33, p 159.

57 See eg Arlen, JThe potentially perverse effects of corporate criminal liability’ (1994) 23(2) The Journal of Legal Studies 833 CrossRefGoogle Scholar; Wells, above n 33, p 159.

58 Law Commission, above n 5, para 4.25. Naysayers included the CPS and the SFO.

59 Law Commission, above n 5, paras 4.67–4.68.

60 The Canadian case law on the meaning of ‘senior officer’ seems in practice to have confined that notion to individuals with strategic policy responsibilities: see Implementing the OECD Anti-Bribery Convention in Canada: Phase 4 Report (Paris: OECD, 2023) paras 253–255, https://www.oecd.org/en/publications/implementing-the-oecd-anti-bribery-convention-phase-4-report-canada_a063fdd3-en.html.

61 See text above at n 60.

62 Criminal Code (Canada), s 22.2, as applied to the Corruption of Foreign Public Officials Act (Canada) 1999.

63 OECD, above n 60, paras 252–253.

64 By virtue of the Criminal Justice Act 2023, s 14.

65 Having said that, s 196 does cover some crimes, such as export offences, to which the failure-to-prevent offence is inapplicable, and to that extent makes a difference to the scope of liability. The ECCTA 2023 extends the new identification doctrine principles to the serious export control offence of being ‘knowingly’ concerned in the export of goods with intent to evade a restriction or prohibition, contrary to s 68(2) of the Customs and Excise Management Act 1979, a very welcome step. Compare the position with accessorial liability in tort for human rights breaches: Kadie Kalma & Others v African Minerals Ltd & Another [2018] EWHC 3506 (QB).

66 [1915] AC 705 (HL).

67 See generally Chalmers and Leverick, above n 40.

68 Section 12 of the Companies Act 2006 states, ‘The statement of the company’s proposed officers required to be delivered to the registrar must contain the required particulars of – (a) the person who is, or persons who are, to be the first director or directors of the company…’.

69 See n 31 above.

70 SFO v Barclays plc & Another [2018] EWHC 3055 (QB), para 86.

71 On the collective responsibility of directors, however minor their executive role, see eg Powers v Greymountain Management Ltd [2022] IEHC 599.

72 I say ‘in-principle’ liability, because failure-to-prevent offences are subject to a defence of adequate or reasonable procedures.

73 It is for these reasons that James Gobert and Maurice Punch seek to present corporate involvement in crime as involving a kind of complicity: see Gobert, J and Punch, M Rethinking Corporate Crime (London: Butterworths, 2003)Google Scholar. However, corporate ‘complicity’ is a notion that does not work well in cases where senior company officials were unaware of wrongdoing taking place, even if, had they been more watchful, they would have been. The failure-to-prevent model is better suited to deal with this key issue.

74 See eg D’Souza, MThe corporate agent in criminal law: an argument for comprehensive identification’ (2020) 79(1) Cambridge Law Journal 91.CrossRefGoogle Scholar

75 In Finland, failure-to-prevent is treated as on a par with direct commission, so far as corporate liability is concerned. In chapter 9 (743/1995) of the Finnish Criminal Code, section 2 (61/2003) states ‘A legal person shall be sentenced to a corporate fine, if a person who is a member of its statutory body or other management or who exercises actual decision-making power in the legal person has been involved in an offence or allowed the commission of an offence, or if the care and diligence necessary for preventing an offence have not been observed in the operations of the legal person.’

76 See https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/fraud-and-economic-crime#:~:text=The%20threat%20from%20fraud&text=The%20most%20robust%20figures%20currently,are%20estimated%20to%20go%20underreported (last accessed 16 January 2025).

77 The crimes of failing to prevent the facilitation of tax evasion, contrary to the Criminal Finances Act 2017, provide a less clear analogy with the new offences under the ECCTA 2023, in virtue of the fact that such offences can be committed even when the predicate offence (facilitating tax evasion) was not committed in order to benefit the company. See K Laird ‘The Criminal Finances Act 2017: an introduction’ (2017) Crim LR 915.

78 ECCTA 2023, ss 201 and 202.

79 Hutton, G Business Statistics: House of Commons Research Briefing (House of Commons Library, 2022) p 4.Google Scholar

80 Ibid.

81 See Hansard HC Deb vol 737, col 947, 13 September 2023 (Kevin Hollinrake MP) https://hansard.parliament.uk/Commons/2023-09-13/debates/6B54D16C-EB32-4B94-A02C-D1128422C107/EconomicCrimeAndCorporateTransparencyBill.

82 Ibid, col 938.

83 See the discussion of Lord Garnier’s amendment: Hansard HC Deb vol 738,25 October 2023, https://hansard.parliament.uk/commons/2023-10-25/debates/9B96F457-D7EB-4A0E-923D-6D9521659DA3/EconomicCrimeAndCorporateTransparencyBill (last accessed 16 January 2025).

84 J Schwartz et, al ‘Financial prominence and financial conditions: risk factors for 21st century corporate financial securities fraud in the United States’ (2021) 39(3) Justice Quarterly 612.CrossRefGoogle Scholar

85 ‘Prepare annual accounts for a private limited company’, https://www.gov.uk/annual-accounts/microentities-small-and-dormant-companies (last accessed 16 January 2025).

86 On ‘subsistence’ small businesses see eg CM Jardon ‘Satisfaction level and competitiveness in subsistence small businesses’ (2018) 56(5) Management Decision 25. On ‘lifestyle’ entrepreneurship, see Marcketti, SB et alAn exploratory study of lifestyle entrepreneurship and its relationship to life quality’ (2006) 34(3) Family and Consumer Sciences Research Journal 241.CrossRefGoogle Scholar

87 Croall, HWho is the white-collar criminal?’ (1989) 29(2) British Journal of Criminology 157.CrossRefGoogle Scholar

88 Lloyd v Grace, Smith & Co [1912] AC 716 (HL).

89 See the discussion of the nexus-of-contracts theory in Micheler, above n 34, ch 1.

90 Mohamud v WM Morrison Supermarkets [2016] UKSC 11.

91 See above n 3.

92 See Micheler, above n 34, and the discussion above in n 43.

93 See the discussion in Law Commission, above n 5, ch 8. UK Joint Committee on Human Rights ‘Human Rights and Business 2017: promoting responsibility and ensuring accountability, Sixth Report of Session 2016–17’, 5 April 2017, available at https://publications.parliament.uk/pa/jt201617/jtselect/jtrights/443/443.pdf (last accessed 16 January 2025).

94 ‘Business population estimates for the UK and regions 2022: statistical release’, https://www.gov.uk/government/statistics/business-population-estimates-2022/business-population-estimates-for-the-uk-and-regions-2022-statistical-release-html (last accessed 16 January 2025). Only 2% of UK businesses trade from more than one site.

95 Health and Safety at Work Act 1974, s 3.

96 Online Safety Act 2023, Pt 5.

97 See the discussion in section 1 above.

98 The same point could be made about the Financial Conduct Authority, which also operates with a risk-management focused, as opposed to harm-based, set of principles: see https://www.handbook.fca.org.uk/handbook/PRIN/2/1.html (last accessed 16 January 2025).

99 For strong criticism of the use of the risk-management model by prosecutors in economic crime cases, see eg Woody, KNo smoke and no fire: the rise of internal controls absent anti-bribery violations in FCPA enforcement’ (2017) 38 Cardozo Law Review 1727.Google Scholar