Failure to Prevent Fraud Offence - Government Guidance

On 6 November 2024, the UK Government published guidance to help organisations deal with the new "failure to prevent fraud" offence, first introduced under the Economic Crime and Corporate Transparency Act 2023.

Our previous article, 'Failure to prevent fraud: a new corporate criminal offence', outlined details of the proposed legislation and encouraged organisations to examine their anti-fraud systems. In this article we examine the newly published guidance, specifically the procedures that "relevant bodies can put in place to prevent persons associated with them from committing fraud offences", which will assist organisations in achieving a defence to the new offence. We also consider practical steps that organisations can take before the legislation comes into force on 1 September 2025.

Scope

The guidance specifies that an organisation may be deemed criminally liable if an employee, agent, subsidiary or other 'associated person' commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.

'Associated person' encompasses a broad definition which includes a company, its employees, agents or subsidiaries as well as companies within the supply chain if they "provide services for or on behalf of the relevant body" and franchises "if a franchisee provides services for the franchisor".

For example, at the most basic level, all employees of a UK business would be considered an associated person and at the other end of the scale, suppliers of a company who provide goods or services to an organisation i.e. a delivery provider, would also be caught by the legislation.

The new offence specifically targets large and medium-sized companies, which must meet two of the following criteria in the preceding financial year:

• Turnover exceeding £36 million;
• Balance sheet total over £18 million;
• More than 250 employees.

This does not mean that smaller organisations can ignore the legislation (read our article here to find out how those outside the above criteria might also be effected). Larger organisations who work with smaller organisations will need to ensure that they have adequate anti-fraud measures in place in order to do business with them as they will be deemed an 'associated person'.

By extending liability throughout an organisation and its supply chain, the government is attempting to encourage companies to prevent and discourage fraud at every level.

Benefit

Organisations who may think they can escape liability if they did not benefit from the fraud will need to be cautious.

The guidance indicates that "an organisation does not need to actually receive any benefit for the offence to apply" and that the "intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud". For example, an employee of a company who earns a commission may mis-sell to increase their own commission, whilst also increasing their employers' sales. The primary motivation of the fraudster is not to benefit the company, but the company may be prosecuted as the benefit to the employee is contingent on the benefit to the company.

An additional important factor of the offence is that a benefit need not be financial for the offence to apply. A fraud committed to enable an unfair business advantage such as favouritism from a supplier of a product, would constitute an indirect benefit. A fraud that disadvantaged a competitor would also be in scope under the legislation.

Guiding principles

One of the ways of ensuring that organisations have a defence to the offence is by ensuring 'reasonable 'prevention procedures' are in place. The guidance provides six principles that should inform an organisations fraud prevention framework and constitute reasonable prevention procedures, including:

1. Top Level Commitment
   The guidance indicates that those at the very top of an organisation are most responsible for preventing and detecting fraud. Board of directors, partners and senior managers of organisations should be most aware and committed to preventing associated persons from committing fraud. This principle clearly highlights the governments aim of fostering an anti-fraud 'culture' within organisations. Some of the ways in which senior management can do this is by communicating and endorsing an organisation's stance on preventing fraud, promoting anti-fraud training and fostering an open culture, where staff can speak up about fraudulent practices.
    
2. Risk Assessment
   Risk assessments should be conducted so that organisations can understand vulnerabilities and prioritise preventative measures. The assessments should be reviewed on an ongoing basis as the organisation and industry it operates in develops. The guidance makes it clear that at a bare minimum an organisation should have a tailored risk assessment in place.
    
3. Proportionate, tailored and scalable fraud prevention procedures
   Fraud prevention measures must fit an organisation's specific needs and scales. Whilst the guidance does little to expand on when the prevention measures would be considered "reasonable", organisations will need to ensure that the measures are targeted and relevant. The guidance outlines that in some limited circumstances it may be deemed reasonable to "not introduce measures in response to a particular risk", but goes no further, offering little comfort to organisations. Again, at the minimum, organisations should ensure they have a documented fraud prevention plan in place and should spend adequate time ensuring that the procedures to prevent fraud are proportionate to the risk identified.
    
4. Due diligence
   Although the guidance offers little practical advice or steps regarding due diligence procedures, it is clear that organisations must conduct due diligence in respect of persons who perform or will perform services for or on behalf of the organisation. This will extend to associated persons by using methods such as screening systems, background checks and reviewing contracts to ensure compliance with anti-fraud obligations. The guidance also provides advice that organisations should conduct due diligence in relation to mergers or acquisitions, including assessing target or acquiring organisation's criminal or regulatory charges, tax documentation and fraud detection and prevention measures.
    
5. Training and communication
   This principle enshrines regular and engaging training programmes, which are required to create an informed and vigilant workforce. The guidance highlights that training should be "proportionate to the risk faced" and consideration should be given to specific training needs of those in the highest risk posts. The guidance also explains that training extends beyond compliance and that organisations should encourage employees to take an active role in fraud prevention by being educated about their role in reporting any suspicious activity.
    
6. Ongoing monitoring and review
   The guidance also underscores the importance of setting up continuous monitoring systems and adopting procedures to meet evolving risks, including learning from investigations and whistleblowing incidents. In an ever-changing world, it is clear that organisations must review their anti-fraud procedures on a regular basis by seeking internal feedback, conducting audits and examining other organisations financial crime prevention procedures.

Whilst the six identified principles are helpful to a degree, organisations may be concerned that some of the guidance is ambiguous and that it will likely take a prosecution to understand how the authorities will assess reasonable procedures.

Whilst the guidance defines the principles as 'flexible' and 'outcome-focused' it is clear that organisations themselves will need to spend significant time interpreting the principles. A key theme throughout the guidance is that a one-size-fits-all approach is inadequate, and enforcement agencies will consider liability on a case-by-case basis. Organisations will therefore need to pay specific attention to the size, complexity, needs, resources and the nature of the organisation's operations as this will impact and decide what is deemed to be 'reasonable' and in turn whether an organisation has a defence.

In addition to the defence, organisations are encouraged to fostering an anti-fraud culture. In turn they themselves will benefit from better internal trust, reassured clients and increased investor attractiveness as well as avoiding scrutiny and reputational harm.

Extra Territoriality

The guidance indicates that the offence will only apply where the 'associated person' commits a fraud offence under the law of part of the UK. This will mean that part of the offence must have either occurred in the UK, there has been a gain in the UK, or victims of the fraud are based in the UK.

For example, if a UK-based supplier of an Italian domiciled company committed a fraud in the UK that impacted UK-based customers of the company, then a fraud has been committed under the legislation.

The offence does not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.

Conclusion

With an implementation deadline of September 2025, organisations still have time to ensure that their anti-fraud systems are adequate and up to date. There are initial steps that can be taken to ensure this, including:

1. Conducting a detailed risk assessment to understand specific fraud vulnerabilities.
2. Ensuring a fraud prevention team is in place to oversee and implement prevention methods, including policies and procedures.
3. Develop training and communication programmes that encourage staff participation, making fraud prevention a shared goal.
4. Set up monitoring systems to ensure prevention measures are effective and that employees are able to report suspicious activity.
5. Undertaking due diligence in respect of both clients and third parties i.e. suppliers.
6. Ensuring contractual provisions cover fraud, including employment and supplier contracts.
7. Ensuring regular fraud reviews and monitoring are in place.
8. Ensuring responsibilities for fraud prevention are identifiable throughout the organisation, ideally at top level.

It is clear that the guidance leaves significant room for interpretation, particularly in relation to the six principles and how to best tailor these to specific businesses and sectors. This ambiguity can create challenges for organisations seeking to ensure they have effective and proportionate fraud prevention measures in place, and an adequate defence under the legislation.

Fraud is a complex and every evolving area of law, and Howard Kennedy has extensive experience assisting organisations facing scrutiny and investigation from enforcement agencies, whether this concerns issues arising from internal misconduct, subsidiaries, supply chains, or external agents. We are also well placed to support organisations in reviewing and enhancing their internal compliance procedures and risk assessments.

If you have any questions, are facing scrutiny or investigation by enforcement agencies, or simply require assistance navigating the guidance, do not hesitate to contact a member of the Business Crime team.