The UK government has published its first guidance on the new ‘failure to prevent fraud’ offence, which will come into force in September 2025 under the Economic Crime and Corporate Transparency Act 2023. Ronak Mahdavi Jovainy and Andrew Robson examine the new law.
The new failure to prevent fraud offence aims to make it easier for organisations to be held accountable for fraud committed for their (or a client’s) benefit. It demonstrates a shift in government focus to targeting economic crime and increasing corporate transparency.
Organisations found guilty of the offence will not only be liable to a fine but will also likely suffer significant reputational damage. The guidance rightly suggests that the legislation will drive “a major shift in corporate culture to help prevent fraud”. The extent to which it does so will come to light in the coming months and years.
The next nine months will be crucial for large organisations. They will need to ensure appropriate fraud prevention procedures are in place that take into account not only the suggested best practices as to what “reasonable procedures” may look like (see below) but also safeguard against risk factors unique to their organisation. While the guidance is a useful starting point, organisations should not treat it as a “one-size-fits-all” checklist. Any organisation that does so will likely fall short of what is considered reasonable for its individual risks.
What is the offence?
Organisations may be held criminally liable: (1) where an employee, agent, subsidiary or other “associated person” commits a fraud, (2) the intention of that fraud is to benefit the organisation (or a client of the organisation) and (3) that organisation did not have reasonable fraud prevention procedures in place.
By virtue of the offence being a “failure to prevent” offence, organisations are in a more precarious position than ever before. The scope of the offence is much broader than the UK Bribery Act. Organisations run the risk of being held accountable regardless of whether the benefit is direct or indirect and actual or intended.
As such, an organisation may be liable even if it does not receive any benefit. The risk of liability for fraud will, therefore, increase significantly come September 2025.
What type of organisations are affected by the ‘failure to prevent fraud’ offence?
The offence will apply to “large organisations” who satisfy at least two of the following conditions in the financial year of the organisation preceding the year of the offence:
- more than 250 employees,
- a turnover of over £36m, and/or
- assets in excess of £18m.
Although the offence is primarily applicable to large organisations, the guidance makes clear that the principles represent good practice. They should, therefore, be considered by smaller organisations, not least because they may be an “associated person” of a large organisation.
It follows that large organisations will now likely require smaller organisations to confirm that they have at least a minimum level of fraud prevention measures in place before doing business with them.
How do you ensure ‘failure to prevent fraud’ compliance?
Should an organisation be investigated for failure to prevent fraud, a defence is more likely to succeed if it can demonstrate to the satisfaction of the court that (a) reasonable procedures were in place to prevent the fraud or (b) it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.
The guidance sets out six flexible and outcome-focused principles for organisations in developing new or enhancing existing procedures to prevent fraud:
- Top-level commitment
The guidance makes clear that it is the responsibility of senior management within an organisation to prevent and detect fraud. Senior management includes boards of directors, partners and other individuals who play a significant role in decision-making about the management and activities of an organisation.
Key aspects of the guidance on the responsibility of senior management include:
- fostering a workplace culture that allows staff to report potential fraud and ensuring the processes for doing so are abundantly clear, and
- making clear that the prevention of fraud takes precedence over the profits of the business and that short-term business loss is a small price to pay when, in doing so, the organisation will maintain customer and business-partner confidence.
- Risk assessment
The guidance stresses that organisations should, as a minimum, conduct a risk assessment and “it will rarely be considered reasonable not to have even conducted a risk assessment”. Factors to consider are:
- assessments must take into account the nature and extent of exposure to fraud risk of employees, agents and other associated persons, and
- it is insufficient to carry out a one-time risk assessment. The risk assessment must be reviewed regularly, even after implementing fraud prevention procedures.
- Proportionate risk-based prevention procedures
Organisations should put in place a fraud prevention plan. The guidance makes it clear there is no one-size-fits-all approach and:
- organisations should prepare and regularly update a fraud prevention plan that is proportionate to the organisation’s level of risk, and
- reasonable measures for the purposes of the failure to prevent fraud offence are not necessarily in place by virtue of an organisation being regulated by another body and having the requisite measures in place to satisfy that regulatory body’s requirement. Procedures should be adapted as required to account for the new offence.
- Due diligence
Similar to the above, while many organisations already undertake a wide range of due diligence procedures, applying the existing due diligence procedures to different risk categories may not be sufficient.
Due diligence should be carried out on associated persons (including new partners) and in the context of mergers and acquisitions. Suggested best practice examples for conducting due diligence include:
- the use of appropriate technology, for example, third-party risk management tools, and
- ensuring contracts with service providers include appropriate obligations relating to compliance that enable the organisation to terminate in the event of a breach.
- Communication (including training)
A key principle in the guidance (particularly given the wide range of individuals within or associated with an organisation that can cause the organisation to be found liable) is effective communication of fraud prevention policies and procedures. This includes:
- ensuring that those policies and procedures are not only communicated but are embedded throughout the organisation and understood and implemented across all levels,
- delivering training that is proportionate to the level of risk, taking into account those in the higher risk roles,
- monitoring the effectiveness of training programmes. Organisations should ensure they are up to date and that all staff have had the necessary level of training for their role, particularly when an employee moves to a role within the organisation that has differing risks or higher risk levels, and
- whistleblowing policies that are made clear to those within an organisation.
- Monitoring and review
Monitoring processes should include (i) the detection of fraud and attempted fraud, (ii) investigations, and (iii) and assessing the effectiveness of fraud prevention measures.
It is more likely than not that large organisations already have in place arrangements for all three elements of monitoring. However, they should consider whether current arrangements cover fraud that may benefit the organisation or its clients, and if not, what action should be taken to ensure these circumstances are covered.
Risk factors are ever-changing, and organisations need to be prepared to adapt fraud detection and prevention procedures in response. While risk assessments are typically conducted annually or bi-annually, it is up to the organisation to determine the review frequency warranted by a particular risk.
Conclusion
Many organisations that fall within the scope of the offence are likely to be global organisations operating across multiple jurisdictions. While nine months appears to be a reasonable length of time, it will undoubtedly be a challenge for large-scale organisations to ensure their processes are airtight. That is because it takes a significant amount of time to carry out risk assessments, devise compliance procedures and implement them across an organisation.
The immediate reaction to the government’s publication of the guidance must be one of action. Management teams across all organisations should meet their compliance teams to review fraud policies and plug any gaps in time for September 2025. Time is of the essence.
You can find further information regarding our expertise, experience and team on our Fraud and Commercial Litigation pages.
If you require assistance from our team, please contact us.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.