Authored By: Amna Osman
Birmingham City University
Abstract
Corporate liability in the United Kingdom is undergoing a complete shift. Traditionally constrained by the Tesco v Nattrass “directing mind and will” test, enforcement against large corporations in particular has proved difficult, while smaller firms often overlook compliance obligations altogether. The Economic Crime and Corporate Transparency Act 2003 introduced the “Failure to prevent Fraud offence” with significant liability unless fraud prevention procedures are put in place. This article will explore the historical transitions of the Uk corporate liability, how well law works in practice and implications of the new offence toward small corporations. The conclusion urges SMEs to engage proactively with compliance, lest they face unlimited criminal and financial exposure. As well as a judicial revision of the offence
Introduction
This article will cover the huge shift of the UK’s corporate liability from restrictive to strict. While this is an advantage in most cases. In others, such as for smaller corporations, it is a concern as the regulation for corporate liability is shifting significantly. This is quite concerning, as organisations’ adaptations may be harder than we think. Especially for smaller firms. Due to the “failure to prevent fraud” offence being underreported, many small firms may be liable without knowing why.
Traditionally, for a company to be prosecuted for a criminal offence, it is necessary to prove mens rea and actus reus. Since the company itself cannot act or have its own intention, there is a legal person appointed to act on behalf of it, such as senior management. When a corporation is suspected of a criminal offence, the identification principle[1] is applied. The identification principle is the doctrine of attributing criminal liability to the organisation’s “directing mind and will.”
It is important that extra steps are taken to improve the corporate liability in the UK, where it’s fair and heavily targets the right corporations and not those caught in the crossfire.
Legal Framework
- Cyber Security and Resilience Bill 2025[2]: was introduced after the continuous cyberattacks toward essential public services sectors with the intent to enhance regulations and the requirement of reporting attacks, including ransomware attacks
- The Economic Crime and Corporate Transparency Act 2023 stand for the most significant act of corporate liability in the UK.
- Constitutional implication of the recent offence: the traditional requirement of mens rea for criminal charges will be conflicted with the new policy.
Judicial Interpretation
- A big case is the case of Tesco supermarket v Nattrass[3]. A manager of one of the branches neglected to change to update the prices of the stocks, and customers were charged full price for promotional items. The House of Lords held that Tesco was not guilty under the Trade Description Act 1968[4], as the manager of the store is not considered a “directing mind and will” of the company. This is when the identification principle was established.
Critical Analysis
- The Cyber Security and Resilience Bill 2025 puts a financial and legal burden on smaller public services providers for compliant frameworks, cybersecurity infrastructure and others.
- The identification principle has been proven to be harder to apply to larger, complex corporations, as “the directing mind and will” of an organisation are often unaware of or isolated from day-to-day misconduct. The principle is also restricted to those with functions in management and acting on behalf of the company. Meaning those without a superior position are often not held liable, as seen in the case of Tesco v Nattrass.
- SME vulnerability – while large companies may follow procedures of the “failure to prevent fraud” offence, smaller/medium companies lack the resources to put fraud prevention procedures in place. Therefore, they are more likely to suffer the unlimited financial penalties.
- the failure to prevent fraud offences can be challenged under Article 6 ECHR[5], which guarantees the right to a fair trial
- A strict legislation system will make it difficult for organisations competing with other organisations with lenient legislation systems. For example, the U.S. applies the doctrine of respondeat superior[6], which holds the employer jointly or severally liable for the employee’s misconduct; in most cases, a settlement would be enough to escape justice. The doctrine is strong in theory, but practically it’s too lenient, giving U.S. corporations an advantage over UK corporations.
Recent Developments
The Economic Crime and Corporate Transparency Act 2023[7] introduced the Failure to Prevent Fraud offence coming into force in September 2025: under this offence, organisations will be criminally liable where an employee or a party associated with the organisation has committed fraudulent activities on behalf of it unless there are prevention of fraud procedures in place. UK Finance has provided guidance on what are considered reasonable fraud prevention procedures.
The media has been positive, as it believed that it’s time for large organisations to be held accountable. Such as Phoenix Group[8] stating that “the approach to fraud prevention not only protects business and clients but also reinforces trust in the financial services sector. We will continue to review and evolve our practices in line with regulatory expectations and industry best practice.
Suggestions / Way Forward
- Jurisdictional review on the policy to balance fairness and adoption, such as the U.S. vicarious liability.
- Providing tailored guidance and penalties for SMEs by publishing sector-specific compliance guidance for smaller firms
- Providing disadvantaged businesses with grants used to improve fraud prevention procedures
Conclusion
In conclusion, the corporate liability in the UK reflects a deliberate shift from the restrictive identification doctrine towards a strict compliance-driven model of accountability. The upcoming Failure to prevent fraud offences is a turning point for every organisation, regardless of size; they must actively guard against employee-driven fraud or face unlimited liability. For small firms, it is a challenge. Without strict compliance to the policy, they may face hefty fines, prosecutions, and reputational damage. The law is no longer targeting individuals, instead it places the blame on the companies to prevent misconduct. The question is: are small firms truly aware of the scale of liabilities heading their way, and if not, will they survive once the new offence is upheld in 2025?
Reference(S):
[1] ‘Economic crime and corporate transparency act: identification principle for economic crime offences’ (GOV.UK, 1 March 2024) < https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-act-2023-factsheets/economic-crime-and-corporate-transparency-act-identification-principle-for-economic-crime-offences > accessed 25 August 2025
[2] Cybersecurity and Resilience Bill (2025)
[3] TESCO SUPERMARKETS LTD. APPELLANTS AND NATTRASS RESPONDENT [1972] A.C. 153
[4] The Trade Description Act 1968
[5] European Convention on Human Rights, Article 6
[6] Daniel J.H. Greenwood ‘Understanding Respondeat Superior’ (Hofstra Faculty) < https://sites.hofstra.edu/daniel-greenwood/understanding-respondeat-superior/> accessed 25 August 2025
[7] The Economic Crime and Corporate Transparency Act 2023
[8] “CEO of Phoenix Group, Andy Briggs, comments on the introduction of the Failure to Prevent Fraud Offence on 1st September 2025” (Phoenix Group, 22 August 2025) https://www.thephoenixgroup.com/news-views/andy-briggs-comments-on-the-introduction-of-the-failure-to-prevent-fraud-offence/ accessed 27 august 2025
