Autumn Risk Roundup: what’s on the horizon for in-house teams

Corporate crime: failure to prevent fraud and SFO guidance

The latter half of 2025 has seen several significant developments in corporate crime and investigations.

Failure to prevent fraud

On 1 September 2025 the new corporate offence of “failure to prevent fraud” came into force. In broad terms, a “large” organisation will now commit an offence where a person associated with the organisation commits a fraud offence intending to benefit the organisation. The organisation will be liable even if it did not condone the activity or was unaware of it.

The only defence is for an organisation to prove that it had “reasonable” fraud prevention procedures in place. The Government has published guidance on “reasonable” fraud prevention procedures.

Organisations that have not considered their fraud prevention procedures need to do so now.

It is also worth remembering that there has already been a very significant change to corporate criminal liability in recent years. If a “senior manager” of an organisation commits a “relevant offence” (such as bribery, fraud, money laundering or tax evasion), the organisation will be guilty as well.

For further information please see our article: Burges Salmon – Corporate Crime & Investigations – New Approach to Corporate Criminal Liability & New Offence of Failure to Prevent Fraud (burges-salmon.com)

SFO cooperation guidance

The SFO has also published updated guidance for organisations on the co-operation the SFO now expects from corporates in order to avoid a prosecution and be invited to negotiations for a Deferred Prosecution Agreement (DPA).  In a significant change in emphasis, the SFO now indicates that a DPA will be the ‘default’ resolution where there is a self-report and full co-operation. The SFO has also for the first time set itself specific target timeframes for responding to organisations who self-report. It remains to be seen whether the SFO encouragement of self-reporting will actually result in more of them.

For further information please see our article: Important new SFO guidance on corporate co-operation published: open the door or wait for the knock? – Burges Salmon

Secondary liability for directors and managers

An increase in enforcement for corporate offences increases the risk of criminal enforcement for directors and senior managers of companies.

Many corporate strict liability offences (e.g. Companies Act offences; environmental offences; health & safety offences) have provisions for imposing secondary liability where an offence by a company can be proved to have been committed with the consent or connivance of a director or manager, or be attributable to their neglect, the director or manager will also be guilty of the offence. Penalties on conviction include unlimited fines and imprisonment and likely director disqualification.

Increased enforcement for such offences against companies appears to be on the horizon. This brings an increased risk of investigation and prosecution against directors and senior managers for such offences.

Cyber: ransomware payments

Ransomware Payments: Legal minefields and practical GC priorities

Ransomware attacks are rising – and so is regulatory scrutiny. With new UK proposals on the horizon, in-house teams must navigate a complex legal landscape where payment decisions carry serious consequences.

Ransomware remains the UK’s most significant cyber threat. The legality of ransomware payments is complex, and recent enforcement trends and proposed legislation are tightening the net.

The UK Government’s Cyber Security and Resilience Bill proposes three key reforms to counter the increasing threat of ransomware:

• Targeted Ban prohibiting public sector bodies and Critical National Infrastructure operators from paying ransoms.
• Payment Prevention Regime requiring all victims (private and public sector) to notify the Government before paying. Payments may be blocked if they risk breaching sanctions or terrorism laws.
• Mandatory Reporting requiring all ransomware incidents to be reported to UK authorities within set timeframes.

But the considerations for in-house teams go far beyond the proposed reforms. Ransomware payments might breach UK sanctions, anti-terrorism laws, and anti-money laundering obligations – each carrying serious criminal or regulatory consequences.

Beyond payment risks, teams must also contend with reputation issues and overlapping duties: mandatory breach reporting, sector-specific regulations, cross-border compliance, and cyber insurance conditions. Contractual obligations may further restrict payment options or require disclosure within the supply chain.

Practical steps for GCs and in-house teams: be ready before the crisis hits

• Plan ahead: Align legal, IT, and leadership teams on your response strategy before an attack happens.
• Agree your stance: Work with your organisation to decide when it would pay, refuse, or consider a ransom.
• Review insurance: Understand what’s covered, excluded, and required for ransomware attacks. Consider all policies – cover isn’t necessarily limited to a standalone cyber policy.
• Invest in resilience: Strong backups and tested recovery plans can significantly reduce the pressure to pay.

Being prepared isn’t just good governance – it’s essential risk management.

For more on cyber risk, see our latest update: Shielding Your Cyber Response: Why Legal Privilege Matters in the Wake of a Cyber Incident – Burges Salmon

Real estate: upwards-only rent reviews

Proposed Ban on Upwards-Only Rent Reviews in Commercial Leases

Upwards-only rent reviews have long provided income certainty for landlords, institutional investors and lenders. However, the Government argues they contribute to unaffordable rents and hinder high street resilience. The proposed reform would allow rents in new commercial leases to be adjusted upwards and downwards in line with market or index movements, enhancing tenant protection during economic downturns. What are the implications for Landlords, Investors and Occupiers?

The Government has introduced a proposal under the English Devolution and Community Empowerment Bill to prohibit upwards-only rent review clauses in new commercial leases.

Key provisions:

• If enacted, the ban will apply to new leases and statutory/agreed renewals. It would not apply to existing leases or agreements entered into before the legislation takes effect.
• The bill prohibits rent review clauses allowing only upward adjustments which are not fixed at lease commencement. It will affect open market, index-linked, and turnover-based reviews.
• Parties cannot contract out of the ban.
• Tenants will be able to trigger rent reviews if landlords delay.

What could this mean for Landlords, Tenants, and Investors?

For landlords and Investors:

• Valuation impact: potential impact on valuations and investor confidence. Reduced predictability of rental income may affect valuations and lending terms. Landlords may need to adjust investment models when acquiring property or refinancing.
• Lease structuring: We may see more leases with stepped rents or shorter leases.

For tenants:

• Negotiating position: Potentially stronger negotiation position, especially during lease renewals, and greater balance in leases.
• Protection from market downturns: Rent could fall in line with market or index. Potentially valuable for businesses with variable income.
• Higher rents?: If Landlords react by introducing stepped rents or higher initial rents, this could lead to further pressure on tenants.

Where does this leave GCs seeking to advise their businesses? Whilst there is still some way to go until the legislation becomes law, we recommend legal teams monitor the Bill’s progress and use the time to advise businesses to assess their portfolio exposure and prepare for a shift in lease structuring and negotiation dynamics to ensure the business is on the front foot if/when the Bill becomes law.

If you have any questions about this or would like any further detail, please our Upwards Only Rent Reviews Proposed Ban Recording and Ban on upwards only rent reviews (UORRs): your questions answered – Burges Salmon or reach out to any our Real Estate Disputes team including James Sutherland, Chris Preston, Catherine Banton and Penny Shannon.

Aviation: false reviews and hidden charges

DMCCA: New rules ground false reviews and hidden travel charges

The Digital Markets, Competition and Consumers Act 2024 (“DMCCA”) has introduced new prohibitions on false consumer reviews and drip pricing. With these changes significantly raising compliance expectations, GCs at airlines and travel companies with UK operations should prepare for increased regulatory scrutiny.

In April 2025, new provisions on unfair commercial practices in the DMCCA came into force, effectively replacing the Consumer Protection from Unfair Trading Regulations 2008. These updated rules retained core prohibitions – such as bans on aggressive practices, misleading actions or omissions, and falsely claiming adherence to codes of conduct – while introducing two significant new restrictions: a ban on false consumer reviews and a ban on drip pricing.

Drip pricing refers to the practice of advertising a headline price and then adding unavoidable charges during the purchasing process. Under the DMCCA, businesses must disclose the full mandatory cost of a product or service at the point of any “invitation to purchase”, a broad term covering adverts and promotional materials that could influence a consumer’s decision. For airlines and travel companies, this includes charges such as airport fees and Air Passenger Duty (APD), aligning with Article 23 of Regulation (EC) No 1008/2008, which requires full transparency on air fares.

Optional extras such as seat selection, priority boarding, and baggage are not currently considered mandatory and do not need to be included in the displayed price. However, this may change. A recent Spanish court ruling against Ryanair for charging for hand luggage, alongside an October 2025 vote by MEPs to revise Regulation (EC) No 261/2004 to mandate free cabin baggage, signals growing pressure to reclassify such costs as essential. This evolving European stance could influence UK regulators.

The Competition and Markets Authority (CMA) now has enhanced enforcement powers under the DMCCA, including the ability to impose penalties of up to 10% of global turnover without the need for court proceedings. A three-month grace period was granted for compliance, after which enforcement is expected to be robust. Further DMCCA provisions, including those related to subscription contracts, are due to come into force in Spring 2026 and may be particularly relevant to airlines and travel companies offering such schemes.

For more on Aviation, sign up to our newsletter here.

AI: regulatory and legal developments

Organisations should be aware of regulatory, legal, and market developments that have immediate or anticipated near-term impacts on their procurement, development and use of AI, and access to markets.

Regulatory developments

Regulators globally continue to develop laws and produce guidance specific to AI.  What impacts your organisation, when and how depends on where you and your supply chain operate. Regulations may have immediate or near-term effect, and could also have indirect effect as obligations get passed through the value chain.

• The EU AI Act has been enacted and affects those using and selling AI systems, either operating in the EU or where AI outputs are in the EU. Implementation is staggered. For example, obligations on literacy and transparency, and prohibitions on specific AI use cases, are in force.  Obligations on high-risk AI systems are due to be in force from 2 August 2026.
• In the UK, the government’s delayed draft UK AI Bill is anticipated in 2026. However, there is a chance it is delayed further due to macro events and government goals for growth.  There are other statutory proposals in the UK specific to AI which indicate direction of travel but are unlikely to become laws.
• UK regulators are at various stages of producing guidance, engaging with the market, and regulatory initiatives such as AI sandboxes.

Legal developments

There is active and anticipated litigation globally. For example, copyright remains in focus – some claims are being settled but others, such as those between Getty Images and Stability.AI, are anticipated to reach judgment. Market sentiment is that after years of investment, development, and deployment, there is the potential for litigation related to AI.  For example, potential contractual claims for AI systems not delivered as required, and disputes about how AI was used.

Standards setting bodies globally are also active, such as ISO, IEEE, BSI, and sector-specific bodies. Organisations should keep a watching brief for such standards which may help them manage their AI development, but also may be relevant to contracts, such as reasonable or market practice.

Organisations should take a holistic view on legal risks based on their sector(s) and jurisdiction(s) and consider long-term legal risk management and impact on business strategies.

For more on AI, click here.

Criminal Justice reform: what it means for corporates

What it could mean for corporate defendants

Leveson’s Independent Review of the Criminal Courts represents a significant attempt to overhaul the criminal justice system in England and Wales, responding to increasing delays and backlogs. With Crown Court waiting lists at historic highs, the review details a strategy centred on structural reform for streamlining justice, reducing delays, improving efficiency and ensuring that offences are prosecuted effectively.

If the recommendations are accepted, the review proposes that, for lower-level offences where the maximum sentence is two years or less, defendants would no longer have an automatic right to elect a jury trial. This means in many circumstances corporate defendants will have the right to elect (jury) trial in the Crown Court restricted. Instead, more cases would be retained in the Magistrates Court to be decided by a judge (and in some cases, magistrates). The automatic right of appeal from the Magistrates’ court would also be replaced with a requirement for permission to appeal.

Even where cases are allocated to the Crown Court, the review recommends the creation of specialist Crown Court divisions, including a new Crown Court Bench Division where a judge and two magistrates, rather than a jury, would hear either-way offences with sentences of up to three years. This proposed new division aims to relieve pressure on the Crown Court and accelerate case resolution.

All of this means corporate defendants will likely face trials without a jury. This change is designed to prevent unnecessary delays and ensure cases are heard at the most appropriate level but will have practical and tactical implications on defences and operational implications for corporate defendants.

On the plus side the review recommends expanding out of court resolutions and deferred prosecution schemes to divert minor cases from the courts which may influence regulatory enforcement policy.

Overall, these reforms represent a significant transformation, aiming to create a more streamlined and efficient criminal justice system. By introducing specialist court divisions, reducing delays and limiting jury trials for lower-level corporate offences, Leveson aims to fundamentally reshape how corporate crime is prosecuted.

For more on this or wider corporate crime issues, please contact our Corporate Crime team including Guy Bastable, Charlotte Whitaker, Ben Davies, Sam Aldous and Tom Hubbard.

Health and safety: streamlining safety regulation

Streamlining safety regulation to unleash growth

The UK Government is seeking to reform safety regulations to promote economic growth. HSE’s consultations of LOLER and PSSR are part of wider initiatives to reduce unnecessary burdens.

The Health and Safety Executive (HSE) is consulting on streamlining the Lifting Operations and Lifting Equipment Regulations (LOLER) and Pressure Systems Safety Regulations (PSSR). This might seem esoteric, but these proposed reforms are part of a broader initiative to ensure that regulation supports innovation, reduces unnecessary burdens, and remains fit for purpose.

 UK Government’s Regulation Action Plan includes actions to:

• reduce complexity and regulatory burden: The government seeks to streamline processes and reduce business bureaucracy. A particular target appears to be the health sector, where regulatory hurdles often delay the adoption of innovative medical technologies; and
• address excessive risk aversion: To achieve this, the Government intends to review regulators’ performance. There appears to be a drive to balance safety against innovation, especially in emerging areas. One example of this is the Nuclear Regulatory Taskforce’s re-evaluation of the application of the ALARP (As Low As Reasonably Practicable) H&S principle

The target is to cut the administrative costs of regulation for businesses by 25% by the end of this Parliament.

Read more about the issue here: Streamlining Safety Regulation to Unleash Growth: HSE Reviews LOLER and PSSR Regulations .