Nine Months for Large Corporates to Update Their Systems and Controls: UK Government Publishes Guidance on Failure to Prevent Fraud Offence

The Economic Crime and Corporate Transparency Act 2023 created a new failure to prevent fraud offence in the U.K. under which organisations may be convicted of a criminal offence if an employee, agent, subsidiary or other “associated person” commits a fraud intending to benefit the organisation. In-scope organisations are those that meet two out of three of the following criteria: more than 250 employees; more than £36 million turnover; and more than £18 million in total assets. An in-scope organisation can receive an unlimited fine if a breach is committed. 

Organisations will have a defence to the offence if they have reasonable procedures in place to prevent fraud. On 6 November 2024, the U.K. government published guidance[1] setting out what those reasonable procedures should look like (the “Guidance”).  

Background

When does the offence come into force?

The offence will come into force on 1 September 2025[2].

Types of fraud covered by the offence

The offence of failure to prevent fraud applies to several specific fraud offences. These are listed in Schedule 13 of the Economic Crime and Corporate Transparency Act 2023. Aiding, abetting, counselling, or procuring the commission of any of the listed offences would also qualify as a base fraud offence. The list of offences can be amended through secondary legislation and includes:

1. Fraud offences under section 1 of the Fraud Act 2006 including:
   1. Fraud by false representation (section 2 Fraud Act 2006)
   2. Fraud by failing to disclose information (section 3 Fraud Act 2006)
   3. Fraud by abuse of position (section 4 Fraud Act 2006)
2. Participation in a fraudulent business (section 9, Fraud Act 2006)
3. Obtaining services dishonestly (section 11 Fraud Act 2006)
4. Cheating the public revenue (common law)  
5. False accounting (section 17 Theft Act 1968)
6. False statements by company directors (section 19 Theft Act 1968)
7. Fraudulent trading (section 993 Companies Act 2006)

Who commits the fraud?

The specified fraud offences mentioned above can be committed by a “person associated with” the organisation acting in that capacity. This captures employees, agents, or subsidiaries, as well as persons who provide services for or on behalf of the organisation while they are providing the services. 

Territoriality

The failure to prevent fraud offence applies only where a specified fraud offence is committed under the law of the U.K. However, non-U.K. companies may be prosecuted in the U.K. if an employee or associated person of the organisation commits fraud in the U.K. or targets U.K. victims. 

Reasonable fraud prevention procedures

The Guidance sets out a framework for organisations, which is informed by six principles:

1. top level commitment;
2. risk assessment;
3. proportionate risk-based prevention procedures;
4. due diligence;
5. communication (including training); and 
6. monitoring and review.

The principles mirror those enshrined in the U.K. government’s guidance on the prevention of bribery and are intended to be flexible and outcome-focussed to accommodate the varied circumstances in which organisations may find themselves. 

Top level commitment

Those tasked with governing an organisation should foster a culture within the organisation in which fraud is never acceptable. On a practical level, management’s involvement will vary depending on the size and structure of the organisation but is likely to include mission statements and leading by example, as well as empowering staff to speak up if they encounter fraud.

In some organisations, it may be appropriate for senior management to be personally involved in the design and implementation of fraud prevention measures. In other cases, senior management may delegate this task to the Head of Ethics and Compliance or a similar person who is responsible for the organisation’s financial crime compliance and prevention.

Risk assessment

Organisations should ensure their assessments are dynamic, documented, and regularly reviewed. As part of their assessments, they may wish to identify typologies of associated persons (e.g. agents, regular contractors). As regards typologies of risks, the Guidance suggests considering the constituent elements of the fraud triangle: opportunity, motive and rationalisation.

Proportionate risk-based fraud prevention procedures

Procedures should be proportionate to the fraud risks faced by an organisation. They should be clear, practical, accessible, effectively implemented and enforced. The level of prevention procedures considered to be reasonable should take account of the level of control and supervision the organisation is able to exercise over a particular person acting on its behalf and the relevant body’s proximity to that person. For example, a relevant body is likely to have greater control over the conduct of an employee than that of an outsourced worker performing services on its behalf. Nonetheless, appropriate controls should be implemented via the relevant contract.

Procedures should aim to reduce opportunities for fraud, motive for fraud, and include consequences for committing fraud.

Due diligence

Organisations should avoid applying existing procedures tailored to a different type of risk (outside of fraud) and should clearly articulate which procedures relate specifically to the prevention of fraud. Examples of expected due diligence on associated persons in the Guidance include reviewing contracts, using appropriate technologies, and conducting appropriate assessments in M&A contexts.

Communication

Organisations should ensure that procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Crucially, organisations should ensure that those who provide services for or on their behalf are aware of and understand the procedures.

A key element of this is having whistleblowing arrangements in place which enable staff to raise concerns without fear of retaliation.

Monitoring and review

Organisations should monitor the measures in place to detect fraud and attempted fraud, the measures in place to investigate suspected fraud, and the measures in place to prevent fraud. Therefore, organisations should take a holistic approach as to how they consider factors such as:

1. how are financial controls monitored?
2. what are the triggers for an investigation?
3. are decisions to investigate monitored?
4. are procurement processes audited?
5. is data access unauthorised?

The nature of the risks faced by an organisation will change and evolve over time and the Guidance expects that fraud prevention procedures should be reviewed and adapted accordingly. Such review can include:

1. seeking internal feedback;
2. collating management information;
3. reviewing relevant prosecutions or deferred prosecution agreements; 
4. reviewing fraud detection analysis.

Takeaways

Large companies in the U.K. and non-U.K. based companies with presence and/or activity in the U.K. are at risk of prosecution if appropriate procedures to prevent fraud are not in place. It is therefore crucial that such companies reassess their approach to risk management with tailored systems and controls.

Whilst large companies may have procedures in place to cover bribery or other risks, they should carefully consider if outward facing fraud is specifically covered and if risks are assessed across the different functions of the company and across relationships with third-parties such as contractors.

Please do not hesitate to contact the authors of this note for further assistance. 

[1] https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta/economic-crime-and-corporate-transparency-act-2023-guidance-to-organisations-on-the-offence-of-failure-to-prevent-fraud-accessible-version#chapter-3-reasonable-fraud-prevention-procedures

[2] https://www.gov.uk/government/news/new-failure-to-prevent-fraud-guidance-published