13 December 2023 • 13 minute read

Europe’s changing corporate corruption legal framework will affect US companies too

Written by:Brian Benjet Katrina Hausfeld Jessica Heim Laura Ford Lauren O'Neil Kara Thomas BeckBen Morgan, Petros Nafpliotis, Aminat Molade

To date, compliance officers of companies operating in the US have tended to base their efforts on guidance from US regulators, such as the Department of Justice (DOJ) or Securities and Exchange Commission (SEC), and US laws such as the Foreign Corrupt Practices Act (FCPA), when developing anti-fraud and anti-bribery safeguards for their overseas operations.

Recent significant legislative developments in Europe may start to shift that US focus. This year, the UK introduced new corporate criminal offenses that include broad jurisdictional reach covering any company with a UK presence. Meanwhile, the European Union is signaling that in the coming years, member states will be strengthening and expanding their anti-corruption laws.

While US companies should continue to benchmark their compliance program frameworks against US regulator guidance, those entities doing business in the UK and/or EU should also ensure that their compliance programs are sufficient under these new laws.

UK: Economic Crime and Corporate Transparency Act 2023

On October 26, 2023, the UK’s Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent, expanding the legal framework under which companies are subject to liability for fraud. Nick Ephgrave, director of the UK’s Serious Fraud Office (SFO), described the new law as “the most significant boost to the [SFO]'s ability to investigate and prosecute serious economic crime in over 10 years.” [1]

The ECCTA introduces two key reforms: (i) a new “failure to prevent fraud” offense and (ii) an expanded scope of corporate criminal liability. The failure to prevent fraud model is significant because it places greater emphasis on the policies and procedures firms have in place to prevent wrongdoing than does US law, which is based on a vicarious liability model.

Failure to prevent fraud

The ECCTA adds fraud to the UK's "failure to prevent" model, which includes failure to prevent bribery [2] and failure to prevent the facilitation of UK and/or foreign tax evasion. [3] The failure to prevent model of liability is akin to strict criminal liability, as it does not require any intent on behalf of the company in order to be found guilty. There is, however, an affirmative defense if a company can demonstrate that it had adequate (ref bribery)or reasonable (ref fraud and facilitation of tax evasion) procedures in place to prevent the wrongdoing at the time of the misconduct.

It is critical that companies operating in the UK or with exposure to UK markets understand:

the substance of the new failure to prevent fraud offense, the categories of conduct it covers and to whom it applies
the jurisdictional reach of the new offense, including that if an associated person commits fraud under UK law, or targeting UK victims, intending to benefit the company, the relevant company can be prosecuted even if the company and the associated person are based outside the UK and
the content of the “reasonable procedures” defenses and the importance of strong corporate anti-fraud policies and procedures.

Offense and applicability

Importantly, this new offense means that prosecutors no longer have to prove intent – or even knowledge - to find corporate liability where a fraud takes place. Rather, all that is required is that they show that a person “associated” with the company committed a fraud offense, the company did not have “reasonable” preventative procedures in place, and the fraud was intended to benefit the company directly or indirectly. [4] The new offense aims to drive culture change towards improved fraud prevention procedures and to hold organizations accountable when they profit from fraudulent activities committed by their employees (or other associated persons).

This offense applies to “large organizations”. This is defined broadly to include companies that meet two of the following three criteria in the prior financial year: [5] (a) turnover of more than £36 million; (b) balance sheet total of more than £18 million; or (c) more than 250 employees. A parent and its subsidiaries are within scope if they cumulatively meet the size thresholds.

Liability can attach to a parent company where the actions of an employee of a subsidiary are intended to benefit the parent. Companies found guilty of the failure to prevent fraud offense can receive an unlimited fine. [6]

The new offense applies to a variety of fraudulent offenses including fraud by false representation, fraud by failure to disclose information, fraud by abuse of position, obtaining services dishonestly, participation in a fraudulent business, false statements by company directors, false accounting, fraudulent trading, and cheating the public revenue.

Jurisdictional reach

The failure to prevent fraud offense is designed to have broad jurisdictional reach, and the majority of the fraud offenses covered by the ECCTA, identified above, have wide extra-territorial effect. SFO guidance on the new law notes that “if an employee commits fraud under UK law, or targeting UK victims, the employer could be prosecuted, even if the organisation (and the employee) are based overseas.” [7] In other words, even if the company is not based in the UK and the fraudulent act is not committed in the UK, the company can still be prosecuted under the ECCTA if it fails to prevent an associate from committing a fraudulent act that harms someone in the UK. Associated person is defined broadly to include employees, agents, subsidiaries, and any person performing services on the company’s behalf. [8]

Reasonable procedures defense

Companies can avoid prosecution under the ECCTA if they have procedures in place to prevent fraud that are “reasonable,” which has yet to be defined. The UK Secretary of State is required to issue guidance on what constitutes reasonableness under the law and the steps companies should take to prevent fraud. [9] The Secretary of State has an existing analogous obligation under the Bribery Act 2010 to provide guidance on the meaning of “adequate procedures,” which it does through the following six principles: [10]

Principle 1: Proportionate Procedures
Principle 2: Top Level Commitment
Principle 3: Risk Assessment
Principle 4: Due Diligence
Principle 5: Communication (including Training)
Principle 6: Monitoring and Review

Expanded scope of corporate criminal liability

The ECCTA also expands the basis on which companies may face liability for a broader range of economic crimes, including fraud, bribery, money laundering, and other offenses. Currently, for a company to be liable for most criminal offenses in the UK, those offenses must be committed by a “directing mind and will” of the company, which generally means board member involvement in wrongdoing.

The ECCTA greatly expands this scope to include “senior managers” of a company if they are acting within the actual or apparent scope of their authority. Senior managers are defined as persons who play a significant role in the making of decisions about how the whole or a substantial part of the activities of the corporation or partnership are to be managed or organized or the actual managing or organizing of the whole or a substantial part of those activities. [11] This expanded definition accounts for the significant decision-making power delegated to management, and it allows for prosecutors to attach liability for a company based on the actions of a much broader set of individuals.

Proposed new EU anti-corruption framework

In recognition that the current framework to combat corruption across member states is weak, on May 3, 2023, the European Commission proposed a Directive focusing on anti-corruption [12] that seeks to harmonize and strengthen its tools. Specifically, the new framework, if implemented, would establish rules to update and harmonize definitions and penalties for corruption offenses to ensure that high quality criminal law tools are in place to fight the full range of corruption offenses, to better prevent corruption and to improve enforcement in each of the 27 EU member states. [13]

The proposed changes include:

corruption prevention by raising awareness of the negative impact of corruption on citizens and societies to address corruption risks before they emerge or deepen and stimulate a culture of integrity
an extension of the definitions of criminal corruption offenses beyond the classic bribery offenses, to include, for example, misappropriation, trading in influence, abuse of functions, as well as obstruction of justice and illicit enrichment related to corruption offenses
an introduction of minimum criminal penalties and sanctions for different offenses to ensure a level playing field in all member states
an extension of the statute of limitation to prosecute corruption in courts and
assurances that law enforcement and prosecutors have appropriate investigative tools and resources at hand to fight corruption. [14]

The Directive notes that existing EU legal frameworks on combating corruption need to be updated to reflect the evolution of corruption threats and the legal obligations of the EU and member states under international law, as well as the evolution of national criminal legal frameworks. Although the EU has existing rules to combat corruption, the Directive stresses that these instruments are not sufficiently comprehensive, and the existing rules in the member states need to be developed further to ensure a more coherent and effective response to corruption across the European Union.

Further, the Directive references enforcement gaps at the national level and thus obstacles in the cooperation between the competent authorities in different member states which have also emerged. Currently, authorities in the member states face challenges linked to the excessive length of prosecution, short statutes of limitations, rules on immunity and privileges, and limited availability of resources, training and investigative powers.

The proposal also seeks to promote consistency with other EU policies on (i) asset recovery; (ii) anti-money laundering; (iii) the protection of whistle-blowers; (iv) investor citizenship and residence schemes; (v) sanctions; and (iv) the protection of the EU’s financial interests.

Key takeaways: Likely impact on US companies

US companies should evaluate potential risks for their current operations in the UK and EU member states and assess new risks when expanding into the broader European market. Although the guidance on what constitutes reasonable procedures under the ECCTA has yet to come out, compliance officers should take note of the evolving legal landscape and consider the explicit and implicit impacts of the changes to develop and maintain a robust compliance program.

ECCTA takeaways

The ECCTA’s jurisdictional reach requires US companies to ensure that their compliance programs are sufficient to prevent and detect fraud and other crimes. Even for companies that do not target the UK market, it is best practice to implement programs which will identify any risk of fraud by an associated person, because the existence of any UK victims can create liability for a company under the ECCTA. Likewise, companies should proactively identify who the senior managers are within their own organizations, and whether their compliance environment adequately regulates these individuals.

Since reasonable compliance procedures are a defense to failure to prevent fraud claims under the ECCTA, companies with any connection to the UK should take this opportunity to enhance their compliance programs. While there is limited guidance on the meaning of “reasonable procedures” under the ECCTA, companies can use the existing guidance on the meaning of “adequate procedures” under the UK Bribery Act to inform their analysis and should implement the following practices:

the use of risk assessments to develop proportionate policies and procedures, designed to mitigate the risk of fraud perpetrated for the benefit of the firm. Firms should be particularly conscious of their potential exposure via overseas subsidiaries and third-party agents
the implementation and communication of these policies and procedures, including the provision of adequate training. Training should be tailored to the risk and responsibility of the relevant employee
suitable reporting channels, including effective whistleblowing policies and procedures
appropriate due diligence, especially in relation to conduct involving third-party agents
ongoing risk-based audit and monitoring to detect fraud, with enhanced procedures for higher-risk areas and
regular internal reviews of procedures to ensure their ongoing effectiveness and that they are appropriately designed to capture the specific risks facing the company.

EU Anti-Corruption Directive takeaways

The Directive will have to be negotiated and adopted by the European Parliament and the Council before it can become EU law. [15] However, this Directive does signal a renewed focus on anti-corruption efforts in the EU and provides an opportunity for US companies with a global reach to re-evaluate their current global anti-corruption policies.

Once the Directive is implemented, it will be crucial to recognize the changes to EU law, such as the extension of criminal corruption offenses beyond bribery, the updated criminal penalties and sanctions for various offenses, and the extension of the statutes of limitation.

Companies should also be aware that the Directive seeks to bolster the existing anti-corruption prevention and enforcement framework in member states. This “corruption prevention” portion of the Directive could affect companies’ need for corruption prevention training for employees in member states and could also affect compliance infrastructure which detects and prevents bribery and corruption.

Further, companies should allocate resources accordingly within their compliance programs to anticipate the Directive’s aim of increasing tools and resources for the enforcement of the broader criminal corruption offenses.

Going forward

Compliance programs at large US companies often focus on the expectations of US law and regulators – and rightfully so. However, the UK and EU have signaled that the prosecution of fraud and corruption is becoming a greater priority. Just as US anti-corruption and fraud laws have been consistently applied to non-US entities throughout the years, so too will these new UK and EU laws be applied to US companies.

Large US companies with a global presence should view these legislative changes as an opportunity to create, revise, and enhance their global compliance programs in order to better prevent and detect fraud and corruption in their operations, both at home and abroad.

To learn more about the implications of these changes for your business, please contact any of the authors or your usual DLA Piper attorney.

[1] Top 10 Anti-Corruption Developments for October 2023, JD Supra, Nov. 15, 2023 available at (https://www.jdsupra.com/legalnews/top-10-anti-corruption-developments-for-6898435/).
[2] Bribery Act 2010 s 7.
[3] Criminal Finances Act 2017 ss 45, 46.
[4] Economic Crime and Corporate Transparency Act 2023 (UK) s 199(1).
[5] Economic Crime and Corporate Transparency Act 2023 (UK) s 201(1).
[6] Economic Crime and Corporate Transparency Act 2023 (UK) s 199(12).
[7] Home Office, Factsheet: failure to prevent fraud offense (26 October 2023).
[8] Economic Crime and Corporate Transparency Act 2023 (UK) s 199(7).
[9] Economic Crime and Corporate Transparency Act 2023 (UK) s 204(1).
[10] Bribery Act 2010: Guidance about procedures which relevant commercial organizations can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010).
[11] Economic Crime and Corporate Transparency Act 2023 (UK) s 196(4).
[12] Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on combating corruption, replacing Council Framework Decision 2003/568/JHA and the Convention on the fight against corruption involving officials of the European Communities or officials of Member States of the European Union and amending Directive (EU) 2017/1371 of the European Parliament and of the Council (EUR-Lex - 52023PC0234 - EN - EUR-Lex (europa.eu))
[13] Practical Law: EU Anti-corruption: European Commission adopts package of measures (https://uk.practicallaw.thomsonreuters.com/Document/I31df69d4e9c411ed8921fbef1a541940/View/FullText.html?transitionType=SearchItem&contextData )
[14] Practical Law: EU Anti-corruption: European Commission adopts package of measures (https://uk.practicallaw.thomsonreuters.com/Document/I31df69d4e9c411ed8921fbef1a541940/View/FullText.html?transitionType=SearchItem&contextData )
[15] European Commission: Anti-corruption: Stronger rules to fight corruption in the EU and worldwide (https://ec.europa.eu/commission/presscorner/detail/en/ip_23_2516 )