Failure to prevent fraud offence: “reasonable procedures” guidance published and the countdown begins

United Kingdom

The UK’s Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) makes various changes in the law relating to economic and financial crime.

The official Guidance on the new offence of “failure to prevent fraud” (the “Guidance”) has now been published. Companies which have not already put anti-fraud procedures in place now have under 10 months in which to do so.

The Failure To Prevent Fraud Offence

In summary:

  • The new offence will come into force on 1 September 2025.
  • The new offence will apply  to large organisations  to which at least two of the following applies: (1) more than 250 employees; (2) more than £36 million turnover, or (3) more than £18 million in total assets.
  • The organisation is liable if a specified fraud offence[1] is committed by an employee or agent of an organisation, for that organisation’s or its clients’ benefit.
  • It is a strict liability offence- management need not have approved or been aware of the misconduct for the organisation to be liable.
    But,
  • It is a defence for the organisation to show that it had “reasonable” anti-fraud procedures in place at the time of the offending. Those procedures are the main subject of this briefing.

For an update on the general timetable for implementation of other provisions of ECCTA dealing with company compliance and transparency, see our earlier article linked here.

Official Guidance & Grace Period

Large organisations now have a grace period of just under 10 months in which to design and implement reasonable procedures to prevent fraud. After that period, both organisations and, at least potentially, individual directors are exposed to the risk of criminal investigation and prosecution for the fraudulent actions of employees or other associated persons.

Reasonable Procedures: Core Principles 

The 6 guiding principles in the Guidance are:

  • top level commitment to preventing fraud, including:
    • communication and endorsement of the fraud prevention strategy by senior executives;
    • ensuring clear governance framework e.g., designating responsibility for preventing fraud, and senior executives’ personal involvement where appropriate;
    • commitment to training and resourcing to support fraud prevention; and
    • leading by example and creating an open culture;
  • risk assessment to identify the organisation’s specific fraud risks, that, among other things, should be regularly reviewed and updated, and focus, as a starting point, on the so-called “fraud triangle” of opportunity / motive / rationalisation, as well as account for added risks in emergency situations;
  • proportionate risk-based prevention procedures – in essence, a robust fraud prevention plan that comprehensively and proportionately tackles the risks identified at the risk assessment stage;
  • proportionate and risk-based due diligence of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.  The Guidance identifies useful points to consider both in respect of organisations’ own employees and agents, as well as wider categories of associated persons;
  • communication of the organisation’s fraud prevention policies internally and externally (including by implementing and maintaining training, and putting in place appropriate whistleblowing policies and protections); and
  • monitoring and review of the organisation’s fraud prevention policies, including by reference to its detection and investigation of suspected fraud.

These 6 principles are essentially the same as those which can be found in other government guidance as to the prevention of bribery  and criminal facilitation of tax evasion

Detailed Suggestions of Good Practice

The Guidance gives quite detailed suggestions for good practice as regards implementation of each of the above principles. These are too lengthy to summarise here, but the overarching themes of the good practice guidance can be summarised in two  concepts:

The first is “substance over form” - i.e. that anti-fraud procedures must not be mere tick-box exercises with no specific engagement, risk-assessment or follow-up. The second is to emphasise “cultural” factors to make fraud more difficult to commit within a corporate environment.

To give a flavour, here are some highlights of what the Guidance considers to be good practice:

PrincipleSuggestions of Good Practice
Top level commitmentCommunication of commitment by senior management; Specific measures re. resources, governance, and “leading by example”. 
Risk assessmentIdentifying fraud typologies; Use of the “fraud triangle”; Identifying data-sources including audit, data-analytics, regulatory actions; Risk-classification, Regular review (see below).
Proportionate procedures

Creating a fraud prevention plan;  Considering level of control and supervision  over individuals; Reduction of opportunities & motivation for fraud; Taking into account existing sector regulatory regimes, Use of published data/ sources; Testing anti-fraud systems.

 

Due diligence

Using technology, e.g. third-party risk management & screening tools, vetting checks; Contract reviews including with agents, use of contractual compliance wording; Monitoring of well-being of staff and agents to identify risk due to “stress, targets or workload”; 
 

Specific provisions in relation to due-diligence in M&A transactions.
 

 

Communication

Ensuring senior management messaging is not undermined or circumvented;

 

Use of training (including monitoring effectiveness); Adopting / following suitable whistleblowing policies, independent oversight, appropriate investigation of whistleblower reports.

 

Monitoring & Review

Use of measures to detect fraud, including data-analysis, whistleblowing data, AI tools, reporting of aggregated data & measuring effectiveness;

 

Use of measures to investigate suspected fraud, including policies on how investigations are triggered & managed.

 

“Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant.”

 

Procedures should be reviewed regularly. Frequency is case-specific but “typically”  risk assessments may be conducted annually or bi-annually. 
 

 

Overlaps With Other Compliance Arrangements     

The Guidance recognises that large companies will be subject to many other compliance requirements, including compliance procedures focussed on other offences such as failure to prevent bribery and failure to prevent tax-evasion.  However the Guidance makes clear that companies should not rely on existing procedures relating to, say, tax-evasion, as a guarantee of a defence when it comes to fraud.

The same principle applies to audit procedures. The Guidance contains a useful discussion of the role likely to be played by audit in informing the anti-fraud procedures and identifying risks. However, again, it is clear that a “clean” audit alone does not necessarily provide the appropriate level of assurance. 

What Should Large Organisations Do Now?

Each organisation will have different needs and different risks. That said, in our view, qualifying companies with UK operations, employees or agents should at the very least take the following steps, if they have not been taken already:

  1. Resolve at senior management level to seek to prevent fraud being committed on behalf of the company, allocate appropriate resources and governance;
  2. Carry out a suitable Risk Assessment as regards potential liability for failure to prevent fraud;
  3. Review existing procedures and/or create new or amended procedures specifically to tackle fraud risk;
  4. Ensure that due-diligence is effective and proportionate to the risk of fraud;
  5. Communicate the company’s approach and provide appropriate training, support appropriate whistleblowing procedures; and
  6. Monitor and review fraud risk regularly. Consider whether to take measures to detect fraud and investigate suspicions of fraud in a robust and defensible way.

The Culture Issue

All of the above is largely common sense. But it is notable that the view of the Government appears to go further than “mere” compliance. It wishes to change corporate culture away from (perceived) indifference towards fraud and other misconduct.

The Minister for Security, Dan Jarvis has said that the failure to prevent fraud offence "is designed to drive the culture change toward improved fraud prevention procedures within organisations in that we will hold them to account if they seek to profit from fraud that’s committed by their employees, agents or those developing services for them.”[2]

This is very laudable, of course. Fraud is an extremely harmful social and economic phenomenon which businesses should be vigilant about. And the level of detail and analysis contained in Government Guidance is refreshingly helpful and practical compared to others.  It is entirely right to encourage evidence-based decision making, engagement with data and independent decision-making and thus discourage a tick-box approach.

All that said, sweeping assertions about a company’s “culture” are very difficult to substantiate in real-life cases when the authorities are investigating. They can be distracting and, in some cases, are hostages to fortune.  In our view, each company should take a realistic approach to its own risks of being liable for fraud under the new legislation and seek to make suitable changes to policies and practices which reflect those risks. Producing written policies is no more than a starting point – as the Guidance makes clear, following these up and regular monitoring and review may be even more important than a library of impressive documents.

Should you need any specific advice on how the new offence might affect your business or how to approach these issues, including compliance issues, please contact our team of specialists (contact details are below).
 

[1] See Annex 1 for definition of  “fraud offences”.

[2] https://www.parallelparliament.co.uk/debate/2024-11-06/commons/written-statements/failure-to-prevent-fraud-corporate-offence-guidance#:~:text=The%20offence%20is%20intended%20to,in%20some%20circumstances%2C%20their%20clients.

ANNEX 1

“FRAUD OFFENCES”

In England & Wales:

Fraud offences under section 1 of the Fraud Act 2006  including:

  • Fraud by false representation (section 2 Fraud Act 2006)
  • Fraud by failing to disclose information (S. 3 Fraud Act 2006)
  • Fraud by abuse of position (S. 4 Fraud Act 2006)
  • Participation in a fraudulent business (S. 9, Fraud Act 2006)
  • Obtaining services dishonestly (S. 11 Fraud Act 2006)

Cheating the public revenue (common law offence)

False accounting ( S.17 Theft Act 1968)

False statements by company directors (S.19 Theft Act 1968)

Fraudulent trading (S. 993 Companies Act 2006)

In Northern Ireland the substantive offences are the same as England & Wales, albeit the statutory sources differ.

In Scotland:

Fraudulent trading (section 993 Companies Act 2006).

Fraud (common law)

Uttering (common law)

Embezzlement (common law)