FRP Advisory | Molly Sandquest
Molly Sandquest explores what businesses should be doing now to comply with new anti-fraud legislation
The UK’s Economic Crime and Corporate Transparency Act 2023 (ECCTA) demonstrates renewed focus on the fight against fraud, money laundering and other forms of economic crime.
As I discussed in my first article of this series, central to the legislation is the introduction of a new ‘failure to prevent fraud’ offence. This encapsulates scenarios ranging from management fraudulently misrepresenting the value of the company, to a fund promoting investment in a ‘sustainable’ business, knowing the environmental credentials are fabricated.
Under this new offence, an organisation will be liable where fraud is committed for the benefit of an organisation (directly or indirectly) by an associated person acting for or on behalf of the business. The penalties can only be mitigated if the organisation has ‘reasonable’ fraud prevention procedures in place. Importantly, the leadership of the company does not have to have orchestrated, or even to have known about, the fraud for it to be held liable.
Currently, the offence only applies to large organisations – defined in line with the standard definition from the Companies Act 2006 as meeting two out of the three criteria of: i) having more than 250 employees; ii) more than £36 million turnover; and iii) more than £18 million in assets. It may be that smaller companies will also be brought into scope in due course.
Even though the ECCTA is now law, we are still waiting for guidance from the government on what ‘reasonable fraud prevention procedures’ are before the offence comes into force. Whilst this is due soon, it is important for businesses to appreciate they can be taking steps in the right direction now by looking to best practice that already exists elsewhere.
One area where management teams can take inspiration are the six principles set out in the Ministry of Justice’s guidance to the UK Bribery Act and similar guidance issued for the corporate offences of failing to prevent the criminal facilitation of tax evasion. We anticipate the ECCTA guidance, when published, is likely to mirror these. However, we anticipate organisations will need to have a heightened focus on the methodology of the risk assessment and the importance of robust financial controls.
Bear in mind that compliance with the ECCTA should not require a complete overhaul of companies’ current procedures – a lot of this will, and should, already be familiar. But, just as the legislation expands responsibility for fraud prevention within an organisation, management teams may now need to expand their thinking on current procedures to ensure they are compliant. More generally, there are three overarching areas business leaders should be alive to when ensuring their fraud prevention procedures are robust:
1 | Know your risks
The first step to any effective fraud prevention strategy is defining what constitutes ‘fraud’, and then knowing the risk areas where this fraud could occur.
It sounds so simple. But in my experience, it is still often missed – or at least organisations are not clearly identifying all possible, or the most relevant, fraud risks they face.
It is common for companies to think of financial misappropriation as the main fraud risk (fraudulent bank transfers, fictitious invoicing, expenses fraud, for example.). But fraud can take many forms depending on the nature of the business, ranging from anti-competition issues to financial and non-financial misreporting or fabricated safety certifications. The focus here needs to be on understanding the risk of associated persons engaging in economic crimes that intend to benefit the organisation or group, and not purely on internal fraud conducted against the business, as it will not be criminally liable if it is the intended victim of the fraud.
Businesses should conduct, or refresh, their formal fraud risk assessment based on their own specific circumstances, developing a risk matrix that considers the likelihood a certain risk will occur and estimates of the potential impact. As well as helping to raise awareness of the range of risks they face, this helps management teams assign appropriate levels of resources to address each risk.
When assessing risks, it is critical for businesses to consider activities conducted by parties outside of their own organisation, reflecting on compliance monitoring of their supply chain and third-party due diligence procedures – are these thorough enough to catch poor behaviour, and do they need to be changed? It is also important to think ‘outside the box’ and consider the worst-case scenarios, however far-fetched they may seem. We have seen instances of entire financial environments being fabricated with two differing systems being run concurrently, for example.
Unlikely but significant risks may turn out to the be areas where an organisation is most vulnerable, simply because prevention has never been considered necessary. Only in very limited circumstances will it be deemed reasonable not to introduce preventative measures in respect of a particular fraud risk.
2 | Assign responsibility
Once fraud risks are identified and documented, the responsibility for mitigating them must be clearly assigned to an individual or delegated across a group of employees. They should then be encouraged to draw on wider resources to do what they feel needs to be done to carry out their role.
Ideally, one person should spearhead fraud risk governance for the business. In group corporate structures, a parent company is likely to implement group-level policies and training, and then assign fraud mitigation responsibilities to each of its subsidiaries.
Management teams must clearly communicate to all those involved in risk governance or mitigation the expectations of these roles so they understand exactly what their responsibilities are, and help raise wider fraud awareness in a relevant way.
Management must also make sure there are processes in place to ensure accountability and ensure those responsible for governance and mitigation are properly resourced to carry out their roles. Along with any necessary training, this should include ensuring they have sufficient time to carry out their fraud prevention responsibilities within their day-to-day workload.
3 | Think processes and culture
Together with assigning responsibility for fraud prevention, management teams must also ensure their businesses have the right processes and procedures in place, and that these are documented with a clear plan for review and updates going forwards.
These should include robust preventative processes that are proportionate. For example, financial controls to identify and prevent fraudulent actions – from reconciling company records against bank statements to regular stock checks on inventory.
And they should cover what happens if fraud is identified. These ‘reactive’ plans must be as clear to follow as possible and understood at all levels of an organisation so they can be quickly and reliably enacted if required.
Both preventative and reactive plans, together with the fraud risk assessments, must be reviewed regularly once they are in place – fraud risks and fraudsters’ strategies are constantly changing, so what worked six months ago simply may not be adequate now. Companies should also consider subjecting their procedures to independent review from expert professionals. A fresh, outside perspective can help make sure nothing has been missed, and can be an opportunity to benefit from other firms’ experiences.
Finally, when it comes to fraud prevention, businesses should not overlook or underestimate the value of culture and a well-defined code of ethics. An effective ‘tone from the top’ provides a principled atmosphere that sets a positive example and influences the organisation’s attitudes and behaviours. Fostering an open, transparent environment where people feel supported and empowered to speak up and report suspicions can be central to preventing fraudulent activity. If this is not in place, companies should think about how they can change this as a priority, it is just as important as setting out responsibilities and documenting formal procedures.
Next steps
We will be commenting on the specific ECCTA guidance when it is published by the government so look out for the next article in our series.
But, in the meantime, following these general points of best practice will help put businesses on a strong footing to prevent fraudulent activity occurring, and to effectively react to it if it occurs.
As with so many things, when it comes to fraud, prevention is always better than the cure. And there will be significant benefits to taking a thorough, preventative, approach to fraud over and above ECCTA compliance – from better oversight of company operations generally, to helping build trust with suppliers and customers.
Importantly, the leadership of the company does not have to have orchestrated, or even to have known about, the fraud for it to be held liable.
This article first appeared on Lexology. You can find the original version here.