Extraterritorial Impact of New UK Corporate Criminal Liability Laws

January 12, 2024

Click for PDF

Key provisions of this Act came into force on 26 December 2023 and could affect businesses around the world. It is therefore essential to have a clear understanding of the new laws and what they could mean for your organisation.

Following intensive debate, King Charles III gave royal assent to the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) on 26 October 2023. As we set out in our client alert of 18 September 2023,[1] and in an article for Börsen-Zeitung of 25 November 2023,[2] the UK Government has described the corresponding bill as the most significant reform of the “identification doctrine”, which governed the attribution of criminal liability to corporate entities for more than 50 years.

Key Takeaways

  • The new laws governing how criminal liability can be attributed to a corporate entity for economic crimes apply to offences from 26 December 2023 onwards.
  • The ECCTA states that the actions of senior managers can be attributed to the corporate entity. The definition of senior managers is broad.
  • The new offence of failure to prevent fraud, which only applies to large organisations, cannot come into force until guidance is published. It is anticipated guidance will be published in the course of 2024.
  • The new laws governing attribution and the new offence of failure to prevent fraud can apply to non-UK corporate entities and to conduct outside the UK.
  • UK law enforcement agencies may use these laws to cooperate closely with foreign agencies. The principle of double jeopardy may not necessarily prevent prosecutions in multiple jurisdictions.
  • International companies should consider the practical steps outlined in this client alert, including identifying which officers and employees might fall within the definition of senior managers, assessing the extent to which they are exposed to risk of fraud, considering existing fraud prevention procedures and ensuring clear records of training and policies are retained.


New Rules of Attributing Criminal Liability to Corporate Entities

The ECCTA introduces the concept of a “senior manager” which defines whose actions can be attributed to a corporate entity. It is anticipated that this will allow prosecutors to fix companies with criminal liability more easily, as they no longer have to rely on the vague and narrowly applied “identification doctrine” which relies on identifying “the directing mind and will of the corporation”.[3] The concept of “senior manager” will include any individual who plays a significant role in:

  • the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or
  • the actual managing or organising of the whole or a substantial part of those activities.[4]

At present, the new attribution rules only apply to offences specified in schedule 12 of the ECCTA which are called “listed offences[5] and include various economic crime offences such as cheating the public revenue, false accounting, money laundering, bribery or fraud. However, this list is apt to be extended to other offences in the future. Indeed, on 14 November 2023, the UK Government introduced the Criminal Justice Bill 2023 which seeks to extend the new attribution laws to all types of crime for which corporate liability may be appropriate.[6] This bill is being considered by the House of Commons and it is currently unclear if and when it may be passed.

Extraterritorial Effect

A key feature of the new attribution laws is their wide extraterritorial effect. Corporate entities may be held criminally liable for an offence, even if the offending took place outside the UK as long as the offending would constitute a criminal offence in the location where it took place (see section 196(3) ECCTA).[7] Consider the following example:

A pharmaceutical company has a UK headquarters and a subsidiary in Germany, which has been underperforming. The Head of Accounting is based in Munich and is also a member of the management board of the German entity. She overstates the revenue of the German subsidiary when submitting the annual accounts in order to “smooth things over” until business improves. Therefore, the accounts of the Group were significantly inflated.

In Germany, this could constitute the offence of false accounting under section 331 of the Commercial Code (Handelsgesetzbuch). In the UK, this conduct could constitute false accounting under the Theft Act 1968 which is an offence listed in schedule 12 of the ECCTA. This means that both the German entity and the UK headquarters could potentially face prosecution in the UK.

Because the ECCTA does not require the corporate entity or partnership to be incorporated or formed in the UK, on its face, the ECCTA does not expressly require any particular tie to the UK. However, when introducing section 196(3), Parliament pointed out that a UK connection is required: “…criminal liability will not attach to an organisation based and operating overseas for conduct carried out wholly overseas simply because the senior manager concerned was subject to the UK’s extraterritorial jurisdiction; for instance, because that manager is a British citizen. Domestic law does not generally apply to conduct carried out wholly overseas unless the offence has some connection with the UK. This is an important matter of international legal comity.[8]

The extraterritorial ambit of the underlying offence will be relevant. As Parliament also noted, some offences, wherever they are committed, can be prosecuted against individuals or organisations who have certain close connections to the UK. Consider this example:

A telecommunications company has a UK headquarters and a subsidiary in Germany. The German subsidiary recently pitched for a large contract in India which, if successful, would boost its business and benefit the whole group. The German Head of Sales thought the pitch went well, but in order to be sure, he offers his contact in India an all-expenses paid holiday at a five star resort in Spain, on the understanding that the German subsidiary will be awarded the contract.

In Germany, this could constitute the offence of giving bribes in commercial practice (sec. 299 of the German Criminal Code). In the UK, this conduct could constitute the offence of bribing another person under the UK Bribery Act 2010 (“UKBA”) which is an offence listed in schedule 12 of the ECCTA. Both corporate entities, i.e. the German subsidiary and the UK headquarters, could potentially face prosecution in the UK. Prior to the ECCTA, it would have been difficult to prove that a Head of Sales was a directing mind and will of the company and prosecutors would arguably only have been able to bring charges for failure to prevent bribery.[9] However, it is likely that the Head of Sales would fall under the definition of senior manager and therefore allow the corporate entities to be prosecuted for the principal bribery offence,[10] despite their being no involvement by a board member.

It is also noteworthy that the new rules of attribution also apply to attempts or conspiracy to commit offences listed in schedule 12 as well as aiding, abetting, counselling or procuring the commission of those offences.[11] A senior manager may be based outside the UK but act as an accomplice to a UK offence. For example, a banker working for a Frankfurt bank could put the German bank at risk if he encouraged a London-based employee of its UK subsidiary to act in violation of the Financial Services and Markets Act 2000.

The new rules of attribution follow an international trend to hold legal entities more comprehensively accountable for criminal conduct committed by employees and other representatives. For instance, although German law does not recognise criminal liability of corporate bodies as such, the German Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) allows a legal entity to be fined if certain “leading individuals” (Leitungspersonen) commit a criminal or an administrative offence. While some clarifications by the competent courts will be needed, the standard of a “leading individual” is arguably comparable with the notion of a “senior manager” now adopted under UK law.

The Offence of Failure to Prevent Fraud

The ECCTA introduces a new corporate offence of “failure to prevent fraud[12] which, following a controversial debate between the House of Commons and the House of Lords, only applies to “large organisations”.[13] Before this offence comes into force, guidance must be published[14] and it is anticipated that this will happen in 2024.

Under the new offence, an organisation will be liable where a specified fraud offence is committed by an “associate” for the organisation’s benefit (an employee, subsidiary or agent, or a person who otherwise performs services for or on behalf of the organisation), and the organisation did not have reasonable fraud prevention procedures in place. Importantly, it does not need to be demonstrated that senior personnel ordered or knew about the fraud.

The new offence will apply to bodies corporate and partnerships wherever incorporated or formed.[15] However, the Government Factsheet envisages there being a UK nexus: “If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”[16] The offence is clearly intended to have a broad application and could, for example, apply to any organisation offering goods and services through a website or providing an internet marketplace accessible to consumers based in the UK.

In order for an organisation to be guilty of the offence of failure to prevent fraud, an offence listed in schedule 13 ECCTA has to be committed. The listed offences include, for example, the statutory offences of fraud, false accounting, false statements by company directors, fraudulent trading or the common law offence of cheating the public revenue.[17] This includes aiding, abetting, counselling or procuring the commission of a listed offence, but – in contrast to section 196(2) – does not extend to conspiracies.[18]

In order to understand the extraterritorial reach of the offence of failure to prevent fraud, the jurisdictional ambit of the underlying offences in schedule 13 should be considered. On the basis of the Criminal Justice Act 1993 and the common law principles, the courts of England and Wales can: “apply the English criminal law where a substantial measure of the activities constituting a crime take place in England, and restrict its application in such circumstances solely in cases where it can seriously be argued on a reasonable view that these activities should, on the basis of international comity, be dealt with by another country.” (see R v Smith (Wallace Duncan) (No. 4))[19]. Consider the following example:

An international construction firm incorporated in France planned to build and sell a number of holiday cottages across France. The holiday cottages were specifically marketed to and attracted a number of UK investors. The construction firm ran out of money making it highly unlikely that the cottages would be built. However, the managers directed their sales team to continue selling the cottages anyway. They also discussed the issue with the construction firm’s auditors which led to the auditors signing off accounts, knowing they did not reflect the true financial position of the construction company. The result was that many individuals in the UK who had invested in the properties lost considerable amounts of money.

In the example above, both the construction firm and the auditing company in France may be exposed to prosecution for the offence of failure to prevent fraud on the basis that UK victims were targeted. Given the changes to the “identification doctrine” set out above, there might also be an argument to prosecute both companies for the underlying offence of fraud by false representation,[20] given in the impact on UK victims.

The above example also raises the question of whether corporate entities will be prosecuted for both the underlying offence e.g. fraud by false representation, and the offence of failure to prevent fraud for the same conduct. The Crown Prosecution Service guidance indicates that this is possible in relation to offences under the UKBA[21] but it does not appear to have happened in practice.

The underlying legal concept of the new offence and of similarly structured offences under English law,[22] is comparable with certain provisions under civil law systems (e.g. section 130 of the German OWiG)[23] which aim to sanction improper supervision.

Cooperation between Law Enforcement Agencies

The current trend of national enforcement authorities working together in cross-border cases is likely to continue and may expand to use the new legal tools under the ECCTA. In the examples set out above, it is conceivable that at least the individuals and the subsidiaries in Germany may find themselves prosecuted by German criminal law enforcers – in addition to prosecution by UK authorities.

In particular, the EU-UK Trade and Cooperation Agreement (“EU-UK Agreement”) governs the relationship between the EU and the UK post Brexit. It contains provisions about cooperation in criminal matters between the UK and EU Member States,[24] including mutual judicial assistance, surrender, exchange of criminal record information, and confiscation. Furthermore, the EU-UK Agreement strives to ensure that special EU enforcement agencies like Europol and Eurojust cooperate with UK authorities. In addition to cooperation between the UK and EU Member States, the UK is also party of numerous other bilateral treaties on mutual legal assistance in criminal matters.[25]

In its Annual Report for 2022, Eurojust stated that the United Kingdom participated in 29 Joint Investigation Teams and 79 coordination meetings.[26] While many investigations of Eurojust concern crimes like human trafficking and smuggling, these figures suggest that UK law enforcement may also seek cooperation in cases relating to offences under the ECCTA.

The new Director of the SFO, Nick Ephgrave QPM has now been in place for just over three months, and it remains to be seen how he will guide the agency and use the new legal tools at his disposal and whether he continues the moves towards greater international cooperation. In the past, there have been several examples of successful cooperation between different enforcement agencies such as the settlement that Airbus SE reached with the UK, the United States and French authorities in 2020. All three settlement agreements were approved by the courts in each jurisdiction on the same day, indicating strong cooperation efforts between the three states involved.[27] In its judgment approving the DPA, the UK High Court stressed that international cooperation is crucial in cases of corporate wrongdoings across jurisdictions for many reasons, including to avoid forum shopping for settlements.[28]

The risk of an organisation being prosecuted in both the UK and other states for the same criminal conduct also depends on whether each jurisdiction applies the principle of double jeopardy. Generally, a defendant in the UK may argue that he should not be tried for the same offence in law and fact for which he was previously convicted or acquitted (autrefois acquit or autrefois convict). A UK conviction may not automatically prevent EU Member States from double prosecution, but only influence the sentencing in that other jurisdiction. International double jeopardy, however, is not uniformly accepted. Therefore, whether a jurisdiction will prohibit the prosecution of misconduct that was already resolved by a foreign court, must be determined on a case-by case basis, depending on which states are involved.[29]

Practical Steps

Following the new attribution laws in force since 26 December 2023 and in anticipation of the new offence of failure to prevent fraud likely coming into force later this year, we have set out some practical steps to be considered by corporate entities both inside and outside the UK.

Risk Analysis: companies should determine the business units most likely to be affected by the new regulations and the audience which may need particular training and supervision. This analysis may cover a variety of aspects such as:

  • the extent to which UK customers may be impacted by the business activities, predominantly with respect to selling goods or services to UK customers;
  • any other connection the entity has to the UK. This could include a subsidiary entity, a branch, employees working remotely or on secondment in the UK, as well as suppliers or other business partners in the UK;
  • identification of individuals who fall within the ECCTA definition of a “senior manager” whether they are based inside or outside the UK. Check whether the titles of individuals accurately reflect their roles, and whether the responsibilities of their managers are clearly defined and documented;
  • considering any parts of the business which are potentially vulnerable to the offences listed in schedules 12 and 13 of the ECCTA (e.g. offences under Financial Services and Markets Act 2000 may be particularly relevant for organisations offering financial services).

Recordkeeping: corporate entities should keep a clear record of policies, including previously applicable versions, and of conducted training. If needed, this might assist organisations in the future to show that reasonable prevention procedures were in place. These training materials and policies should reflect the outcome of the risk analysis mentioned above and address the practical realities of the relevant business units.

Culture: senior leadership teams may wish to consider whether any changes can be made to promote an open “anti-fraud” culture.

Whistleblowing: consider revising whistleblowing procedures to enable reporting of potential violations of foreign laws. This should assist with early identification of potential risks. Many enterprises in the EU are currently reviewing their procedures on whistleblowing in light of the EU whistleblowing directive and the respective implementation laws.[30]

Monitoring: the status and effectiveness of the compliance framework will need to be checked, regularly reviewed and continuously developed with regard to the risks arising from the ECCTA. This should include a regular testing of the threshold values for determining a “large organisation” as well as monitoring the catalogue of offences in schedules 12 and 13 of the ECCTA and associated legal risks. This will enable corporate entities to have a good overview of their current status and allow them to quickly assess whether they meet the requirements of the guidance once it is published. Obviously, a comprehensive review should take place once the UK Government has published its guidance on reasonable preventive measures, which we expect to happen in the course of 2024.


[1]  Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[2]  London verschärft das Unternehmensstrafrecht.

[3]  See our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud for further detail.

[4]  Economic Crime and Corporate Transparency Act 2023, s 196(4).

[5]  Economic Crime and Corporate Transparency Act 2023 schedule 12.

[6]  Criminal Justice Bill, Committee debates: compilation pdf of sittings so far, page 68.

[7]  Economic Crime and Corporate Transparency Act 2023 s 196(3).

[8]  https://hansard.parliament.uk/Lords/2023-06-27/debates/EF8264AF-6478-470E-8B37-018C4B278F6E/EconomicCrimeAndCorp rateTransparencyBill.

[9]  UKBA, s 7.

[10]  UKBA, ss 1, 2, 6.

[11]  Economic Crime and Corporate Transparency Act 2023, s 196(2).

[12]  Economic Crime and Corporate Transparency Act 2023, s 199.

[13]  As defined in Economic Crime and Corporate Transparency Act 2023, ss 201, 202. For further discussion see our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[14]  Economic Crime and Corporate Transparency Act 2023, s 219(8).

[15]  Economic Crime and Corporate Transparency Act 2023, s 199(13).

[16]  Factsheet: failure to prevent fraud offence of 26 October 2023.

[17]  Schedule 13 ECCTA.

[18]  Economic Crime and Corporate Transparency Act 2023, s 199(6).

[19]  [2004] EWCA Crim 631.

[20]  Section 2 Fraud Act 2006.

[21]  Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions.

[22]  See, e.g. failure to prevent bribery under the UKBA or failure to prevent facilitation of UK tax or foreign evasion offences under the Criminal Finances Act 2007.

[23]  Although OWiG, s 130 and the new UK offence sanctioning failure to prevent fraud have some similarities, there are also notable differences. Unlike ECCTA, s 199, the provision under German law is not limited to fraud offences and does not require that the person is acting with the intend to benefit anybody. Furthermore, unlike OWiG, s 130, the ECCTA establishes a direct criminal liability of the corporation itself. It is the responsibility of the corporation itself to prove that it had the necessary preventive procedures in place at the time the fraud offence was committed to avoid criminal liability. Under OWiG, s 130, the prosecution will take into account the preventive measures of the individual person obliged to exercise proper supervision.

[24]  Pursuant to Article 633 (1) EU-UK Trade and Cooperation Agreement, the provisions on mutual assistance (Title VIII) are meant to supplement and facilitate the provisions of the European Convention on Mutual Assistance in Criminal Matters, done at Strasbourg on 20 April 1959 and its additional protocols.

[25]  For a full list of all bilateral treaties, see https://www.gov.uk/government/publications/bilateral-treaties-on-mutual-legal-assistance-in-criminal-matters.

[26]  European Union Agency for Criminal Justice Cooperation, Annual Report 2022 – Eurojust Activity Map, United Kingdom.

[27]  See the respective press releases on 31 January 2020: U.S. Department of Justice; Serious Fraud Office, and the Parquet National Financier.

[28]  SFO v Airbus SE, Case No: U20200108, 31 January 2020, para. 92.

[29]  For an overview of national and international double jeopardy in various jurisdictions, see OECD, Resolving Foreign Bribery Cases with Non-Trial Resolutions, OECD Data Collection Questionnaire Results (2019) pp. 231 et seq.

[30]  Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. National implementation laws do not necessarily require that violations for foreign law can be reported, see e.g. section 2(1) no. 1 of the German Whistleblower Protection Act (Hinweisgeberschutzgesetz).

The following Gibson Dunn lawyers prepared this client alert: Matthew Nunan, Allan Neil, Patrick Doris, Benno Schwarz, Katharina Humphrey, Amy Cooke, Andreas Dürr, Rebecca Barry, Sam Firmin*, Vanessa Ludwig, and Julian Reichert.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s White Collar Defense and Investigations and Anti-Corruption and FCPA practice groups, or the following authors in Frankfurt, London and Munich.

Matthew Nunan (+44 20 7071 4201, [email protected])
Allan Neil (+44 20 7071 4296, [email protected])
Patrick Doris (+44 20 7071 4276, [email protected])
Amy Cooke (+44 20 7071 4041, [email protected])
Rebecca Barry (+44 20 7071 4086, [email protected])
Sam Firmin* (+44 20 7071 4051, [email protected])

Munich / Frankfurt:
Benno Schwarz (+49 89 189 33-110, [email protected])
Katharina Humphrey (+49 89 189 33-155, [email protected])
Andreas Dürr (+49 89 189 33-219, [email protected])
Julian Reichert (+49 89 189 33-229, [email protected])
Vanessa Ludwig (+49 69 247 411-531, [email protected])

*Sam Firmin is a staff attorney working in the firm’s London office.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.