Increased international exposure for Irish businesses

The UK’s new corporate fraud offence, which is due to come into effect shortly, creates potential criminal exposure for Irish businesses. Clearly, this will impact Irish businesses’ UK subsidiaries that have operations in the UK. But what may catch many unawares is the fact that the extra-territorial reach of the new offence is unusually broad: it will capture even non-UK businesses that have no operations or operational nexus within the UK in certain circumstances. We set out below an overview of the new UK corporate fraud offence and how Irish businesses can guard against this new risk.

Meanwhile, on the other side of the Atlantic, the advent of the second Trump Administration has resulted in a dramatic shift in US corruption enforcement policy. Since the 1970s, the US has been the global leader at the forefront of enforcement and, more particularly, extra-territorial enforcement of anti-corruption laws. However, President Trump’s February executive order has paused enforcement for a period of at least 180 days. While on its face this represents reduced corruption risk in the very short term, given the protectionist policy aims of the measure in the more medium term it may spell increased risk for non-US actors such as Irish businesses that fall within the scope of US anti-corruption rules.

The UK’s new ‘failure to prevent fraud’ offence

The UK’s Economic Crime and Corporate Transparency Act 2023 (the 2023 Act) represents a major overhaul of the UK’s framework for addressing financial crime. One of the key innovations of this legislation is a new ‘failure to prevent fraud’ offence which will make it easier to prosecute companies for fraud.

The new offence, which is due to come into effect on 1 September 2025, imposes criminal liability on “large organisations” where an associate – i.e. an employee, agent, subsidiary or person performing services on the organisation’s behalf – commits a specified fraud offence with the intention of benefiting the organisation. In other words, criminal liability will be attributed to large organisations for the fraudulent acts of their personnel (whether employees or contractors) and subsidiaries. The maximum penalty for organisations is an unlimited fine.

Large organisations include corporate bodies and partnerships. They are defined in the 2023 Act as including only bodies that meet two or more of the following conditions in the financial year preceding the year in which the alleged fraud is said to have occurred:

1. the organisation has more than 250 employees;
2. the organisation has turnover of more than £36 million; and / or
3. the organisation has a balance sheet total of more than £18 million.

There are provisions which allow for aggregation of these thresholds in the case of group companies.[1] Liability can attach either to the parent or subsidiary as appropriate – including to the parent where a subsidiary’s associate commits an offence intending to benefit the parent.

The ‘failure to prevent fraud’ offence is a strict liability offence. It is irrelevant whether the fraud was known to the directors or management of the organisation. The only defence available is for the organisation to demonstrate that:

1. it had reasonable fraud prevention procedures in place; or
2. it was not reasonable to expect the organisation to have any prevention procedures in place.

In our view, it appears unlikely that many businesses of the scale sufficient to constitute large organisations would be able to successfully rely on a defence that it was reasonable not to have fraud prevention measures in place.

Impact on Irish businesses

The new offence will have broad reach outside the UK. Irish companies located or incorporated outside the UK can be captured by the offence where part of the offence takes place in the UK, where the offence causes harm in the UK or where the associate acting on behalf of the company is in the UK. For example, an Irish company could be held liable:

• if its counterparties or investors based in the UK suffered harm as a result of fraudulent acts committed outside the UK;
• for the acts of an employee committed while the employee was in the UK, even temporarily, and even if the Irish company had no UK presence – for example, sending a particular communication or processing a fraudulent payment;
• for the acts of any UK-based contractors or service providers, even if the Irish company had no UK presence; and
• for the acts of its subsidiary, or its subsidiary’s employees or agents, in the UK, even though the parent company is outside the UK. This is different from, and additional to, the scope for the UK subsidiary itself to be held liable.

Indeed, the UK Government’s explanatory note accompanying the 2023 Act states that “if an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas”. This extra-territorial jurisdiction is markedly broader than the UK’s equivalent ‘failure to prevent bribery’ offence, introduced in 2010, under which organisations can only be prosecuted if they carry on business, or part of a business, in the UK.

Steps Irish businesses can take to avoid liability

Irish businesses should assess the extent of their UK ‘touchpoints’ to assess the scope for potential exposure under the 2023 Act. As above, there is a defence available where a business can show it had reasonable fraud prevention procedures in place. Therefore, potentially impacted businesses should review their anti-fraud frameworks to determine whether improvements to their existing procedures are warranted.

In broad terms, reasonable fraud prevention procedures would typically include some or all of the following systems and controls:

• Risk assessment: assess the nature and extent of an organisation’s exposure to the risk of fraud by its associates.
• Proportionate risk-based prevention measures: prepare a fraud prevention plan, with procedures to prevent fraud that are proportionate to the risks identified.
• Due diligence: undertake due diligence on persons who perform or will perform services for or on behalf of the organisation to mitigate fraud risk.
• Top-down commitment: the Board and senior management should foster a culture within the organisation in which fraud is not accepted. Senior management should have a leadership role in relation to fraud prevention.
• Communication: ensure fraud prevention policies and procedures are communicated, embedded and understood throughout the organisation.
• Training: ongoing training is key. Consideration should be given to the specific training needs of those in high-risk positions.
• Monitoring and review: monitor and review fraud detection and prevention procedures and make improvements where necessary.
• Whistleblowing measures: businesses should have appropriate whistleblowing arrangements in place. In line with the EU Whistleblowing Directive, most Irish businesses that qualify as large organisations captured by the UK’s ‘failure to prevent fraud’ offence will already be subject to the prescriptive requirements for whistleblowing channels and procedures that have applied to all Irish companies with 50 or more employees since 2023. Any businesses that have not updated their whistleblowing procedures for compliance with these changes should do so as a matter of priority.

Not only are the above measures prudent to help reduce both the risk of fraud and, consequently, the risk of being found liable for such in the UK; they would also leave any Irish business that implements a robust anti-fraud framework of this nature well placed in the event that Ireland introduces its own ‘failure to prevent fraud’ offence in the future. While there are not currently any legislative proposals to do so, Ireland previously followed the UK in introducing a ‘failure to prevent bribery / corruption’ offence and it is possible that Ireland will follow suit in the medium to longer term.

US developments

Since the 1970s, and the introduction of its landmark Foreign Corrupt Practices Act (the FCPA), the US has been the world leader in corruption enforcement, significantly outpacing other jurisdictions in the scale of its enforcement activity. As the very name of the US legislation suggests, the FCPA is concerned with overseas corruption. It applies not only to US businesses operating both in and outside the US, but to non-US businesses where there is a sufficient US nexus – for example, to an Irish business that is US listed or where an act alleged to form part of the offence occurred in the US.

Since President Trump’s executive order in February this year directing the US Department of Justice to suspend FCPA enforcement for a period of at least 180 days pending a review of the policies and guidelines governing enforcement, US enforcement efforts have come to a shuddering halt. However, there are a number of reasons why it would be unwise for Irish businesses within the scope of the FCPA to relax their compliance programmes:

1. First, the executive order represents a policy change only; there has been no change in the underlying law and, pending any such change in the future, the legal risk for businesses has not changed. At a minimum, it is very likely that future administrations will revert to the earlier position and will be able to prosecute past non-compliance.
2. While the enforcement pause is blanket in nature, the stated rationale for President Trump’s executive order relates to American interests only. Specifically, it refers to “overexpansive and unpredictable enforcement against American citizens and businesses” which “harms American competitiveness and, therefore, national security” and it emphasises the need to “eliminat[e] excessive barriers to American commerce abroad”.

This emphasis on a desire to ‘level the playing field’ for American businesses competing in foreign markets leaves open the possibility that non-American companies could continue to face investigations and enforcement action just as or even more than before. Indeed, even before recent events, a criticism that has often been levelled at FCPA enforcement historically is that the US has disproportionately targeted non-US businesses over US businesses who corrupt foreign officials. 

While the future of corruption enforcement under the Trump Administration is uncertain, it is clear that risks remain and particularly so for non-US businesses. Therefore, Irish businesses within the scope of the FCPA should remain pro-active and vigilant. In other words, the more prudent course is to continue to push to the top, not enter the race to the bottom that the shift in US policy may usher in.

If you would like further information, please contact Clara Gleeson, Senior Associate, Karla Hart, Associate, or any other member of our White-Collar Crime team.

Date published: 29 April 2025

[1] Parent companies constitute large organisations if the group that they head meets at least two of the following criteria: (i) an aggregate turnover of more than £36 million net (or £43.2 million gross); (ii) an aggregate balance sheet total of more than £18 million net (or £21.6 million gross); and / or (iii) more than 250 employees in aggregate.