UK government publishes Failure to Prevent Fraud guidance

November 12, 2024

This week, the UK government published its much-anticipated guidance on the new corporate criminal offence of "failure to prevent fraud". The introduction of the guidance, means that the new offence, introduced as part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), will now come into effect on 1 September 2025.

The new offence, part of a package of changes brought in by the ECCTA to increase corporate criminal liability and corporate transparency, represents an increased focus by both the former and current government on targeting economic crime. With fraud estimated to represent more than 40% of crime in England and Wales, the introduction of the new offence is intended to drive a change in behaviours, targeting corporate compliance culture where there have historically been limited prosecutions.

Overview of the new "Failure to Prevent Fraud" offence

Under the new offence, organisations may be held criminally liable where they fail to prevent fraud committed by a person associated with the company, on behalf of the organisation, with the intention of benefiting the organisation or their clients. The concept of the "associated person" follows the example of the Bribery Act 2010 and the new guidance confirms that employees, agents or subsidiaries will all be considered to be an "associated person". Crucially, senior management does not need to have knowledge of, or sanctioned, the offence committed whereas previously corporate liability for fraud would have required evidence of wrongdoing at a very senior level.

Importantly, an organisation will not be considered criminally liable where it is a victim or the intended victim of a fraud intended to benefit its clients - so it will not face liability where it fails to safeguard itself against losses incurred due to internal or external fraud. However, the guidance does specifically state that an organisation will not be considered a victim where it suffers indirect harm as a result of fraud by an associated person, so cannot argue that it is a victim as a result of reputational damage caused by the fraud.

To whom does it apply?

The application of the offence is currently limited to "large organisations" across the UK. A firm will be considered a large organisation where it meets two of the following criteria:

• More than 250 employees
• More than £36 million turnover
• More than £18 million in total assets

These criteria will apply in respect of the financial year preceding the alleged fraud.

It is important to note that the above criteria apply to the whole organisation, including its subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.

The guidance notes that, whilst the new offence only applies to large organisations, it should be considered good practice for smaller organisations. We would go further than that perhaps, in suggesting that it appears to be inevitable that the offence will be extended to smaller organisations in the future, given the cross-party focus on reducing economic crime and the increased resourcing in investigation and prosecuting such offences.

Reasonable procedures defence

In the same model as the failure to prevent bribery and tax evasion offences, a firm will be liable where an offence has been committed save where it can demonstrate:

• that it had reasonable procedures in place in order to prevent fraud; or
• that it was not reasonable in all the circumstances to expect the organisation to have any procedures in place.

On 6 November 2024, the Home Office issued guidance which set out what firms should consider when designing and implementing reasonable procedures. Whilst it does not set out an exhaustive list of steps that should be taken, it set out six principles by which organisations should be guided:

• Top level commitment - senior management should lead by example and seek to foster a culture where fraud is never deemed acceptable.

• Risk assessment - the assessment of risk should be dynamic and kept under review. The organisation should look to understand the different types of risk presented by associated persons.

• Proportionate risk-based prevention procedures - procedures should be proportionate to the potential fraud risks of the specific organisation and should take into account the nature and complexity of its operations.

• Due diligence - organisations should reconsider existing due diligence procedures and ensure these appropriately address risks.

• Communication (including training) - prevention policies should be articulated and reinforced at all levels of the organisation. Regular training is key and should be specific to the risks of different roles.

• Monitoring and review - procedures should be reviewed regularly to ensure they are sufficient and changes made where necessary e.g. where new risks are presented. Ensure lessons are learned from any instances of whistleblowing or any investigations.

The guidance emphasises that organisations should not seek to follow a one-size-fits-all approach. It notes that even strict adherence to the principles may not be sufficient where an organisation has failed to take a holistic view of the unique risks of its operations. This highlights the real importance in understanding your organisation, employees, agents, internal culture and supply chain and the specific risks that your organisation needs to face in order to mitigate or appropriately manage those risks.

Existing compliance and fraud prevention procedures

The guidance sets out that, as the new offence extends across all sectors of the economy, there will be organisations that are already subject to specific regulations. Many firms will already be subject to regulatory oversight and reporting requirements in connection with financial services, construction, health and safety requirements, and environmental reporting. Whilst it is not the intention of the guidance to have organisations duplicate their existing work, it is emphasised that it would not be a suitable defence to prosecution to state that, because an organisation is regulated, its existing regulatory compliance processes must be deemed to be "reasonable procedures". Indeed, our experience dictates that even for our more heavily regulated clients, because of the piecemeal way in which financial crime compliance and corporate liability for the same has been implemented over the last 30 years, many firms take a fragmented rather than holistic approach to financial crime risk, with different risks delineated and managed by different parts of the organisation - the introduction of the new offence, in our view, offers a unique opportunity for firms to grasp their financial crime risk and put in place a coordinated framework which enables the sharing of information and high-level oversight to more comprehensively and effectively manage risk.

Prosecution of the new offence

The new offence can be prosecuted by either the Serious Fraud Office (SFO) or Crown Prosecution Service in England and Wales. Whilst the SFO has investigative powers in Scotland, prosecutions are undertaken by the Crown Office and Procurator Fiscal Service. If convicted, organisations can face an unlimited fine.

What is important to note in this regard is that the introduction of the economic crime levy (a charge levied on AML regulated firms which are considered to pose the highest risk of being used as part of money laundering) means that the Home Office is actively generating more money to spend on economic crime detection and pursuit. We understand that the National Fraud Squad is being heavily invested in and more local police are being trained to conduct fraud investigations.

Next steps: ensuring financial crime compliance and regulatory health

We recommend that organisations use the time from now until the offence coming into effect on 1 September 2025 to ensure that they have in place suitable and reasonable procedures to prevent fraud. We note below some steps that organisations can take in order to prepare:

• Conduct an organisation wide risk assessment which takes into account the specific risks that the organisation faces, not just general risks. We would recommend that firms think about how they can effectively manage their holistic financial crime risk as part of this thinking, rather than creating another financial crime "silo" to be managed, which will inevitably cross over with the firms' bribery, money laundering and tax evasion risk. This may mean that you consider a financial crime risk assessment rather than a standalone fraud risk assessment.

• Consider whether there are any other regulatory obligations to which the firm may be subject - is it caught by the whistleblower directive? By any health and safety, or reporting requirements? Has it considered whether it is conducting any AML regulated activities for which it should be registered?

• Consider recent sector and organisational changes - do they present new risks that have not been considered or addressed in any existing framework?

• Carry out specific anti-fraud risk assessments in respect of employees, subsidiaries and associated persons to understand the different risks presented.

• Ensure that you have considered how you are mitigating, detecting, reporting and investigating potential crystalised risk.

• Think about your governance structure - who is responsible for financial crime risk? Are different people responsible for different financial crime risks? If so, how are you ensuring that they are aligned and informed on emerging risks in different parts of the firm?

• Consider "tone from the top" - how are you embedding honest and ethical business practices in the firm? Is there anything that you are doing which may inadvertently increase the fraud risk?

• Carry out regular training of employees at all levels and ensure that employees are aware of how to spot and report potential fraud.

If you are considering reviewing and implementing a fraud strategy to meet the new corporate liability risk, then please do reach out to a member of the team and we would be happy to have an initial discussion with you on potential next steps.