Shepherd and Wedderburn LLP | Kevin Clancy
Introduction
On 26 October 2023, the Economic Crime and Corporate Transparency Act 2023 (ECCT Act) received Royal Assent. Through a broad range of measures, it aims to strengthen the UK’s response to economic crime, prevent abuse of the UK economy, and support enterprise.
The ECCT Act contains a number of different measures to prevent and tackle economic crime, including the new failure to prevent fraud offence. Our previous article looked at the failure to prevent fraud from the context of ESG considerations.
On 6 November 2024, the Home Office published guidance for organisations regarding the failure to prevent fraud offence. In particular, what is meant by having “reasonable procedures” in place to prevent fraud.
Organisations now have until 1 September 2025 to ensure that they have put in place effective fraud prevention procedures. This focus on compliance and corporate culture is not dissimilar to what was seen across the corporate landscape upon the introduction of the UK Bribery Act.
Failure to get this right could result in criminal liabilities and consequences for UK corporates.
In this article we set out the details of the offence, the organisations that fall within the scope of the offence, and what the latest guidance offers by way of recommendations for reasonable procedures.
What is the failure to prevent fraud offence?
An organisation falling within the scope of the new offence will be guilty of an offence if a person associated with it commits a fraud offence intending to benefit (whether directly or indirectly):
- the organisation itself; or
- any person to whom the associated person provides services to on behalf of the organisation (for example, customers of the organisation).
It is a strict liability offence: there is no requirement to show that the directors of a company had ordered, or knew, about the fraud. This is to discourage organisations from turning a blind eye to fraud offences that may benefit the organisation.
What organisations fall within the scope of the offence?
Any “large organisation” will fall within the scope of the offence if it satisfies two or more of the following conditions in the financial year preceding the fraud:
- the organisation turnover was more than £36 million;
- the organisation balance sheet total was more than £18 million; and
- the number of employees was more than 250.
Further, the offence applies to organisations incorporated or formed by any means. This includes incorporation by:
- The Companies Act 2006;
- Royal Charter;
- Statute (for example NHS Trusts);
- The Limited Liability Partnerships Act 2000; and
- The Co-operative and Community Benefit Societies Act 2014.
Charities will also be within the scope of the provision if they are incorporated and they meet the conditions required to be a large organisation.
Under the offence, an organisation may be criminally liable where an employee, agent, subsidiary or other associated person commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.
It is important to recognise that since the definition of associated persons encompasses subsidiaries, the parent company can therefore be held liable for a fraud committed by a subsidiary’s employee.
The offence will come into effect on 1 September 2025.
Defence of reasonable fraud prevention procedures
Relevant organisations will have a defence if they can show that, at the time the fraud offence was committed, they had reasonable procedures in place to prevent fraud (or that the risk of fraud was so low it was unreasonable to expect the organisation to have any prevention procedures in place).
What are reasonable fraud prevention procedures?
Organisations should have in place a fraud prevention framework that is informed by the following six principles.
It is important to bear in mind that there is no one size fits all approach. What is reasonable for one business may not be for another. The assessment of the reasonable procedures is context and fact specific. Considerations should be given to the sector the company operates in, the territories the company operates in, and its overall structure.
Top Level Commitment
Underpinning this principle is the notion that responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation.
Senior management must communicate and endorse the organisation’s stance on preventing fraud. It is recommended that effective formal statements are adopted in relation to:
- a commitment to reject fraud and the reputational benefits that this will bring;
- naming the key individuals/departments involved in the development and implementation of the organisation’s fraud prevention procedures;
- outlining the consequences for anyone who breaches the procedures; and
- referencing any membership of collective action against fraud. For example, initiatives undertaken by trade bodies.
The appointment of a “Head of Ethics and Compliance”, or similar role, has been recommended for all organisations. This person will:
- report to the board as appropriate;
- review the fraud prevention framework and its implementation;
- keep minutes of decisions and actions; and
- maintain Governance when members of staff move to other positions, leave the organisation or are off work with illness.
Senior management will also be expected to allocate a reasonable budget to run the organisation’s fraud prevention policies, training and staffing.
Fostering an open culture amongst employees will be key to ensuring transparency and that employees feel empowered to speak up.
Risk Assessment
The organisation must assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud, and form a view on the likelihood / impact of any identified risks.
Since the definition of an associated person is broad, organisations should look to start identifying those who would be caught by the definition in relation to their organisation.
Further, the guidance highlights three key risk factors that organisations must look for in individuals, namely:
- opportunity (weak controls/inadequate oversight);
- motivation (financial stress/bonus incentives); and
- rationalisation (no harm done/indifference to the organisation).
Organisations are advised to conduct a risk assessment that takes into account the individuals, systems and processes that contribute to the functioning of the organisation and review all concerns accordingly.
It may be that the likelihood of fraud is deemed as low risk – but the risk assessment and conclusions should still be properly documented in order that there is evidence of an audit trail.
Proportionate risk-based fraud prevention procedures
Organisations should draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment.
These should be clear, practical, accessible, effectively implemented and enforced.
The level of prevention procedures considered to be reasonable should take account of the level of control and supervision the organisation is able to exercise over a particular person acting on its behalf and the relevant body’s proximity to that person. Consider opportunity, motive and means.
Advisable steps to take would include:
- reducing the opportunities for fraud – what are the high-risk roles, products/services and sectors;
- reducing the motive for fraud – what are the factors that encourage fraudulent / criminal behaviours;
- putting in place consequences for committing fraud;
- reducing the rationalisation for fraudulent behaviour – consider due diligence, conflicts of interest and anti-fraud training; and
- testing the fraud prevention measures.
Due Diligence
Relevant organisations in the sectors facing the greatest fraud risks may already undertake a wide variety of due diligence procedures.
However, it should be noted that merely applying existing procedures tailored to a different type of risk (for example, a company’s compliance approach to the UK Bribery Act) will not necessarily be an adequate response to tackle the risk of fraud. An organisation will want to give specific consideration to documenting the due diligence undertaken in respect of the new corporate offence.
Communication
An organisation should ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation.
A clear statement and endorsement of an organisation’s policy against fraud deters those providing services for or on behalf of the relevant body from engaging in such activities.
Training will be a key part of ensuring that an organisation is not caught by the offence, but also provides grounds for a defence of a charge brought against them.
Furthermore, organisations should have appropriate whistleblowing arrangements which may include having board level accountability to oversee whistleblowing and consulting trade unions and employee representatives about the process for receiving concerns raised by whistleblowers.
Monitoring and Review
An organisation will be expected to monitor and review its fraud detection and prevention procedures and make improvements where necessary. Monitoring includes three elements:
- detection of fraud and attempted fraud;
- investigation of suspected fraud; and
- monitoring the engagement with and effectiveness of fraud prevention measures.
- Risk factors for organisations will change and evolve over time. This may be a result of the organisation’s growth and diversification, or external factors in an ever-changing financial environment. Reviewing organisation policies and practices is essential to preventing fraud. An organisation may wish to have its review conducted by an external party or may choose to conduct its review internally.
What are the next steps?
Organisations should prepare for the implementation of the statutory offence in September 2025. Organisations should conduct a review of their own risk areas, and what policies could be implemented or improved. Nine months will pass by very quickly.
The six principles detailed above provide a framework to ensure that an organisation has implemented reasonable fraud prevention procedures. In the event that an organisation is investigated or charged under the ECCT Act, it will be important to be able to demonstrate that a proactive approach to the principles has been adopted.
The key take aways are:
- review the appropriateness of existing procedures, especially for equivalent failure to prevent offences (bribery/tax evasion) – question whether they need to be amended or extended;
- ensure regular monitoring and review of training requirements and fraud prevention procedures;
- carry out a risk assessment;
- consider what due diligence measures are required.
This article was co-authored by Trainee Patrick Kelly.
This article first appeared on Lexology. You can find the original version here.