Navigating the failure to prevent fraud offence: guidance for organisations
Earlier this month, the Government published guidance on the new failure to prevent fraud offence (the Guidance) introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Organisations will be especially keen to understand the Guidance on how to develop reasonable fraud prevention procedures, as having reasonable fraud prevention procedures in place can serve as a defence against the new offence.
Publication of the Guidance has triggered a nine-month implementation period for organisations to develop and put in place appropriate procedures. Organisations that are found criminally liable could land a potentially unlimited fine. It is therefore essential that steps are taken now to develop and implement fraud prevention procedures before the offence comes into force on 1 September 2025.
This briefing provides an overview of the principles of fraud prevention procedures as set out in the Guidance.
Overview of the offence
The offence will hold organisations to account for fraud committed by their employees, agents, subsidiaries, or other “associated persons” who provide services for or on behalf of the organisation, where the fraud was committed with the intention of benefitting the organisation or their clients (directly or indirectly). Senior managers and directors do not need to have known about the fraud.
The offence applies to large, incorporated bodies and partnerships across all sectors of the economy. It should be noted that when considering the size of organisations, the criteria apply to the whole organisation, including subsidiaries and regardless of where the organisation headquarters or subsidiaries are located provided there is a UK nexus (see further below). The offence is not limited to commercial organisations; incorporated charities will be within scope if they meet the “large organisation” criteria.
The new offence encompasses the fraud and false accounting offences most likely to be relevant to corporations. It only applies if the person commits the base fraud while acting in their capacity as a person associated with the corporation (for example, if acting as an employee or as an agent). A fraudulent act that takes place outside this capacity – for example, in that person’s private life – does not give rise to corporate liability.
What is meant by “intending to benefit”
The issue of who is intended to benefit from the underlying fraud is key to determining whether a relevant organisation can be held accountable for the offence of failure to prevent fraud. There is no requirement for an organisation to actually receive a benefit for the offence to apply. It is enough that the organisation was intended to be the beneficiary. The same applies if the intention was to benefit the clients to whom the associated person provides services for or on behalf of the relevant organisation.
Intent is judged based on the position of the associated person at the time they commit the fraud. The Guidance notes that it would be irrelevant, for example, if, as a consequence of the fraud being discovered, the organisation had to reimburse the proceeds and therefore did not benefit from the fraud in the end.
Crucially, the intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud.
Territoriality
The offence requires a “UK nexus”, which means that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK. The offence is therefore broad in scope: an employing organisation, irrespective of where it is based, could be prosecuted if a UK-based employee commits fraud or if an overseas-based employee commits fraud in the UK or targets victims in the UK.
Reasonable fraud prevention procedures
The onus is on the organisation to put in place adequate fraud prevention measures designed with its specific structure and location in mind. Organisations will have a defence if they have reasonable fraud prevention procedures in place or if they can show it was not reasonable to expect the organisation to have any prevention procedures in place. This assessment can only be made by the courts which will take into account the particular facts and circumstances of the case.
Chapter 3 sets out comprehensive guidance on what organisations should consider when designing and implementing reasonable procedures. Organisations should be informed by the following six principles:
Top level commitment: responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation. As such, the role of the board of directors, partners and senior management is likely to include:
- Communicating and endorsing formal statements of the organisation’s fraud prevention stance
- Ensuring clear governance for the organisation’s fraud prevention framework
- A commitment to training and resourcing
- Leading by example to foster a culture that combats fraud
Risk assessment: most organisations will already have carried out risk assessments in some form, so what is required for these purposes may only need to be an extension of existing analysis where necessary. Risk assessments should also be reviewed regularly.
The assessment may start with the identification of categories of associated persons followed by a range of circumstances under which the risk of fraud arises. Typologies of risks may be developed by considering the fraud triangle:
- Opportunity: this includes not just whether the associated persons have the opportunity to commit fraud but also looking at whether emerging tech facilitates the ability to commit fraud and whether certain associated persons can operate with minimal supervision.
- Motive: this considers factors such as whether there are financial, operational or temporal constraints within the organisation that can place additional pressure on employees to complete projects quickly.
- Rationalisation: this looks both at the prevalence of fraud in wider business sector and whether the organisation makes it difficult for employees to raise concerns.
Proportionate risk-based prevention procedures: appropriate fraud prevention procedures should be proportionate to the potential fraud risks and take into account the nature and complexity of operations.
When drawing up a proportionate fraud prevention plan, risk factors should be considered in the context of:
- Reducing the opportunities for fraud
- Reducing the motives for fraud
- Being clear on the consequences for committing fraud
- Challenging the rationalisation of fraudulent behaviour
- Sector specific information
In limited circumstances it will be reasonable not to introduce measures. It is recommended under the Guidance that a record is kept of the decision maker and reasons for making the decision. However, the Guidance states that it will rarely be considered reasonable not to have even conducted a risk assessment.
Due diligence: Appropriate due diligence should be carried out in respect of individuals within the organisation who perform services on its behalf to mitigate fraud risks.
Communication (including training): Fraud prevention policies should be communicated and embedded throughout the whole organisation. This is likely to involve:
- Regular training: this is key and should be proportionate to the risk faced
- Whistleblowing arrangements
Monitoring and review: Procedures should be regularly reviewed to ensure that they are sufficient and updated where required.
If you are considering the impact of the new offence on your organisation, our team would be happy to discuss next steps with you. Please contact Gerard Heyes and Georgia Tetlow for further information.
If you would like to know more about the broader reforms that have been introduced under ECCTA so far and/or any of the other provisions that are expected to come into force during the course of 2025, please read our earlier commentary here. We will continue to monitor developments.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2024