I’ll start with something for the meme lovers.

Does anyone remember Brenda from Bristol, who in response to a BBC interviewer’s question, asking her what she thought about Theresa May’s decision to call an early general election in 2017 only two years after the previous one in 2015, cried “You’re joking – not another one!”.

Niche. But it’s worth a watch.

Well, I found myself crying “Not another one!” in a Brenda-esque fashion last week, when I read the headline that former Ethereum lawyer, Steven Nerayoff, claims that he is aware of a massive fraud at the centre of the Ethereum network, apparently “bigger than the FTX fraud”, and perpetrated by none other than the Ethereum founders themselves.

As yet, we have no idea as to the veracity of these allegations. However, Sam Bankman-Fried’s guilty verdict earlier this month, and multiple other high-profile collapses and bankruptcies allegedly caused by an underlying fraud, have fuelled the crypto naysayers’ party line that the crypto world is comprised solely of scammers, fraudsters, and money launderers. “Fraud” and “crypto” are now inextricably linked in the minds of the public and in the press. A monumental fraud at the heart of Ethereum would add credence to the notion that crypto is or should be dead. Long live fiat.

However, my response to that, continuing Brenda from Bristol’s line of thinking, remains: “Oh for God’s sake…honestly, I can’t stand this!”.

Fiat is still the preferred medium for most financial crime, including fraud. Fraud perpetrated by any means remains the most common crime experienced in England and Wales, with 1.15 million fraud and computer misuse offences recorded in our fair land between 2022/23, the highest it has ever been.

Legislation slipping under the corporate radar

Cue the government’s latest efforts to tackle the fraud epidemic: the Economic Crime and Corporate Transparency Act 2023 (ECCT), which came into force on 26 October. It introduces two major changes in the law:

1. a new offence of ‘failure to prevent fraud’; and
2. an expansion of the scope of individuals whose criminal conduct can be attributed to a company for economic crime under the ‘identification principle’.

While the crypto industry has been understandably focusing on the latest regulatory developments in the UK, including the implementation of the financial promotions regime with respect to crypto assets on 8 October 2023, and the publication of the final proposals for crypto and stablecoin regulation on 30 October 2023, this piece of legislation may have slipped under the corporate crypto radar.

But under the ECCT, big industry players need to have implemented “reasonable” compliance procedures to prevent fraud, as a company can be found guilty of this offence where it failed to prevent fraud intended to benefit the company, committed by an “associated person”, defined widely as an employee, agent or subsidiary; an employee of a subsidiary; or a person who “otherwise performs services for or on behalf of the organisation”.

Why do I say ‘big’ industry players? Because the ECCT applies to a company only if it, and/or its group, meet two or more of the following criteria:

1. more than 250 employees;
2. more than £36 million turnover; or
3. more than £18 million in total assets.

Getting your house in order

I can hear a small- and medium-sized cheer from the small- and medium-sized crypto start-ups, which perhaps may not yet have the compliance wherewithal to ensure that it has implemented such reasonable procedures to prevent fraud, although such organisations should have already ensured that their compliance programmes have adequate and reasonable policies and procedures in place to prevent and detect other offences, including other ‘failure to prevent’ offences of bribery and facilitation of tax evasion.

Crucially, large overseas cryptoasset service providers may think that the legislation does not apply to them, particularly if they do not have a UK subsidiary. However, the jurisdictional reach of the ECCT is such, that even if a non-UK crypto asset service provider did not have any subsidiaries in the UK, the overseas company could still be liable for failing to prevent fraud if an associated person (e.g. an employee or a person performing services on behalf of the non-UK bank) committed fraud under UK law or targeted UK victims, with the intention ultimately to benefit the overseas company. This could capture a whole host of large overseas industry players that haven’t even set a corporate foot in the UK.

The organisation can defend itself if it has “reasonable procedures” in place to prevent fraud. Guidance is still awaited from the government as to what such ‘reasonable’ procedures might look like. But compliance officers will certainly need to conduct an appropriate fraud risk assessment and implement commensurately ‘reasonable’ procedures across their UK operations or those acting on behalf of the business in the UK, in addition to those for other failure to prevent’ offences, alongside, of course, its anti-money laundering and sanctions policies and procedures. And if all of this is news to you and you haven’t got a compliance officer yet…well you probably need to put an ad in the newspaper, stat.

The effect of the ECCT’s expansion of the ‘identification principle’ is that the actions of a wider group of people (defined as ‘senior managers’) can be attributed to the organisation for certain economic crimes, including fraud, theft, false accounting and concealing criminal property. The idea of this is to make it easier for authorities to pursue corporates for those offences, as well as the individuals concerned.

For fraud practitioners, this is all exciting stuff. For corporates caught by the legislation, not so much. But the hope will be that this legislation coupled with the full implementation of the crypto UK regulatory regime will reduce my need to shout “not another one!” à la Brenda from Bristol, and will allow the industry to thrive in the UK, as it should, without fraud being perceived as the driving force behind it.

The article was first published in City A.M. on 20 November 2023