With a little over seven months to go until the new offence of failure to prevent fraud comes into effect, this article summarises key points from the recent Government Guidance.
It sets out some practical steps firms should be taking to ensure they are prepared for the new legislation.
Background recap
The new offence of failure to prevent fraud was created by the Economic Crime and Corporate Transparency Act 2023. Under the offence, an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’ commits a fraud intending to benefit the organisation, and where the organisation did not have reasonable fraud prevention procedures in place.
The offence sits alongside existing law; for example, the person who committed the fraud may be prosecuted individually for that fraud, while the organisation may be prosecuted for failing to prevent it.
It applies to ‘large organisations’, defined as meeting two or three out of the following criteria:
more than 250 employees
more than £36 million turnover
more than £18 million in total assets
The offence will come into effect on 1 September 2025.
Financial services firms
Financial services firms will be familiar with the Bribery Act 2010, and the Criminal Finances Act 2017, and therefore the respective criminal offences of failure to prevent bribery and failure to prevent tax evasion by people associated with their organisations. The failure to prevent fraud offence treads a similar path, in that the defence against the offence requires adequate preventative procedures.
In addition, financial services firms are already subject to regulatory expectations that they have robust systems and controls to counter the risk of the firm being used to further financial crime. In this respect, the requirements of the preventative procedures will look and feel familiar.
The Guidance: observations
Reasonable prevention procedures
Whilst the six principles remain the same as with previous failure to prevent offences, top level commitment has moved up to the premier position, followed by risk assessment. The Guidance does highlight the link (or overlap) with the UK Corporate Governance Code, which requires the boards of companies (listed and large private companies that meet certain thresholds) to review and monitor all material controls, but perhaps more importantly here, senior management will need to be able to evidence sufficient ‘tone from the top’.
Failure to prevent fraud | Failing to prevent criminal facilitation of tax evasion | Failure to prevent Bribery |
Top level commitment | Proportionality of risk-based prevention procedures | Proportionate procedures |
Risk assessment | Top level commitment | Top-level commitment |
Proportionate risk-based prevention procedures | Risk assessment | Risk assessment |
Due diligence | Due diligence | Due diligence |
Communication (including training) | Communication (including training) | Communication (including training) |
Monitoring and review | Monitoring and review | Monitoring and review |
The Guidance indicates that any fraud prevention plan should be proportionate to the risks faced and goes on to say that it is not necessary for organisations to duplicate existing work. However, it is also clear that relying on compliance processes under existing regulations will not provide a suitable defence against the new offence. In addition, there is a need to document any decision made not to implement procedures to prevent a specific risk, together with the name and position of the person who authorised that decision.
Any lack of documented approach and the reasoning behind how and why certain decisions are taken is likely to be important, in terms of the prospect of a prosecution, should a criminal investigation take place. Therefore, taking no action is not a viable option.
Although the offence only applies to large organisations, the Guidance does highlight that the principles represent good practice and may be helpful for smaller organisations. In this respect, they should also be reviewed in line with FCA SYSC 3.1
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.
No safe harbour from prosecution
It is worth noting that the Government guidance does not provide a safe harbour, indicating that…
even strict compliance with the guidance will not necessarily amount to having reasonable procedures where the relevant body faces particular risks arising from the unique facts of its own business that have not been addressed.
This contrasts with, for example, JMLSG, where following guidance has historically been considered a safe harbour, and…
a court must take account of industry guidance in determining whether a person or institution within the regulated sector has complied with any of the requirements of the ML Regulations.
Associated persons
The Guidance does provide some clarification as to how associated persons are defined. Employees and agents are considered associated persons. A person who provides services for or on behalf of the relevant body is also an associated person while they are providing those services. However, persons providing services to an organisation are not deemed acting ‘for or on behalf’ of the organisation and would therefore not be an associated person (this would include for example external lawyers and accountants). It also clarifies that providing services does not include providing goods.
Getting ready
Determine who is responsible to lead: This isn’t entirely straightforward, as the offence could be committed over a number of different departments, but it would be sensible for one SMF to accept overall responsibility, with others feeding into the risk assessment for their respective departments. Whilst the Guidance indicates this could be the ‘Head of Compliance or a similar person who is responsible for the organisation’s financial crime compliance’, it would seem sensible that it is led by first line, rather than second, allowing second line Compliance to exercise their oversight and challenge role.
Top level commitment: In setting out what ‘tone from the top’ looks like, the Guidance doesn’t break any new ground (a commitment to training, clear fraud/financial crime governance structure, clear communication on the organisation’s stance against fraud etc..). Perhaps important is identifying a tangible link to the mission of the organisation and for Senior Management to be able to demonstrate their commitment, not least by championing a culture that encourages concerns to be raised.
Undertaking a risk assessment: Whilst the existing framework for preventing financial crime can and (to provide a 360 view of all financial crime risks) should be utilised, it is important that specific risks organisations face in relation to this offence are identified. How and where could an associated person commit the offence? The Guidance indicates developing risk typologies using the three elements of the fraud triangle, with a number of helpful questions relating to each, which would feed into establishing the risks faced.
opportunity
motive
rationalisation
Embedding: some existing policies and procedures may need to be revised, such as procurement, the due diligence requirements for on-boarding of third parties and associated parties, Plus, reviewing contracts with those providing services, for example contractors, or agents (those who have the authority to enter into contracts on behalf of the entity), to include appropriate obligations requiring compliance and ability to terminate in the event of a breach. It is also important to ensure Whistleblowing/Speak up and HR policies adequately cover the offence, indicating an investigation if fraud is detected or suspected.
Monitoring and review: The guidance splits monitoring into three elements:
detection of fraud and attempted fraud; the important element is due consideration as to the frauds that might be intended to benefit the organisation or its clients, whereas previous fraud considerations would perhaps more likely focus on measures for detecting frauds against the organisation.
investigations; arrangements for investigating attempted frauds against the organisation would already be in place, but investigations that intended to benefit the organisation would require a different approach, with HR and Legal support. The Guidance asks some helpful questions like, what triggers an investigation, who authorises one, and when is it determined an external investigation is required. An approach should be agreed and documented.
monitoring the effectiveness of fraud prevention measures. Whilst the Guidance gives examples of areas that should be monitored, for financial services firms, this should slot into the three lines model, with first line in the lead, followed by periodic reviews from second and third line.