New economic crime legislation: what higher education institutions need to know about preventing fraud and corporate liability
Fraud is a hot topic right now for higher education institutions. Not only do students often find themselves as soft targets for fraud (ie 'money mules' or in relation to Authorised Push Payment/ APP fraud), but the institution itself now has its own responsibilities to reduce the likelihood of a fraud event taking place.
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces significant changes to corporate liability for fraud. Understanding these new rules is critical to safeguarding your institution and its reputation.
The ECCTA is a significant piece of legislation targeted at tackling economic crime in the UK. The new Failure to Prevent Fraud offence (section 199) and the senior managers attribution offence (section 196) will have a meaningful impact on higher education institutions, large and small.
S199: Failure to prevent
S199 introduces a new criminal offence - failure to prevent fraud. It applies to large organisations, including corporate bodies.
A higher education institution is considered a “large organisation” if it meets two of the three following thresholds in the previous financial year:
- Turnover exceeded £36 million
- Balance sheet totalled more than £18 million
- More than 250 employees.
If an institution meets that definition, it will be guilty of offence if a person “associated with” the institution (an employee/ agent/ subsidiary) commits a fraud offence intending to benefit the institution or someone receiving services on its behalf. Relevant offences include:
- Cheating the public revenue
- False accounting/ fraud by false representation
- Money laundering offences under the Proceeds of Crime Act 2002.
Good examples of frauds intended to benefit the institution are falsifying the institution's accounts or making false statements regarding, say, the nature of studying at the institution in order to boost course take-up.
Importantly, institutions have a defence if they had reasonable prevention procedures in place (or if it was reasonable not to have any). The Government has issued guidance on what might constitute reasonable procedures and a court will have reference to this when assessing culpability.
The guidance suggests that institutions should (amongst other things) conduct a comprehensive assessment of their fraud risk, design and implement proportionate prevention procedures (which are appropriate to the institution and its particular circumstances) and monitor/review/improve fraud prevention measures on an ongoing basis. Importantly, though, institutions must have an anti-fraud culture and a top-level commitment towards anti-fraud.
Higher education institutions can be guilty of failing to prevent fraud from 1 September 2025 onwards.
S196: Corporate liability for senior managers’ conduct
Unlike the failure to prevent offence, the s196 offence applies to anybody corporate or partnership. The size of the institution is irrelevant.
Under s196, an institution can be criminally liable if a senior manager (which is an intentionally broad definition and which essentially captures any person who plays a significant role in making decisions about the institution's activities or managing/organising those activities) commits an offence listed in ECCTA while acting within the scope of their authority, or if they assist in committing an offence.
Examples include:
- False accounting or fraud by senior staff
- Money laundering offences
- Breaches of financial regulations or sanctions.
Critically, there is no defence available for having had reasonable fraud prevention measures in place. Further, the offence has been in force since Boxing Day 2023. Higher education institutions could therefore find themselves guilty of this offence now.
Key takeaways for higher education institutions
Both s199 and s196 carry the risk of significant fines and potentially irreparable reputational damage.
If they have not done so already, large higher education institutions should assess their fraud risk and design/implement reasonable fraud prevention measures before 1 September. A policy is a good starting point, but, as mentioned above, institutions will need to have an embedded anti-fraud culture. It will not be enough to simply have a policy - it needs to be followed and its measures properly integrated.
All higher education institutions should be alert to the conduct of senior staff. As there is no defence to s196 of having reasonable anti-fraud measures, it is arguably even more important to have an anti-fraud policy and an anti-fraud culture - the risk of fraud must be tackled at source. Otherwise, smaller institutions, in particular, will find themselves guilty of the acts of senior staff who have 'gone rogue'.
ECCTA signals increased emphasis on organisational accountability. Higher education institutions must take proactive steps now to understand and respond to these changes. Considered preparation will help protect your institution and its reputation in the face of rising expectations around the prevention of fraud.