Legal development

Failure to prevent fraud: key insights from UK government guidance

11 November 2024

Share Share
spiral background
Share

    On 6 November 2024, the UK Government published its guidance (the Guidance) on the new "failure to prevent fraud" offence (the FTPF Offence).  This briefing summarises the key elements of the Guidance and our thoughts on how companies should approach the implementation of fraud prevention procedures. 

    Introduced as part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), the FTPF Offence is the first notable expansion of UK corporate criminal liability since the introduction of failure to prevent offences for bribery and the facilitation of tax evasion under the Bribery Act 2010 and Criminal Finances Act 2017 respectively.        

    Scope of the FTPF Offence

    Companies will be criminally liable where an "associated person" commits a base fraud offence, with the intention to benefit the organisation, or any person who receives services from the company.  A company will not commit the offence if it is the target or victim of the intended fraud.

    The FTPF Offence will only apply to large organisations which are defined under ECCTA as companies which satisfy two or more of the following conditions:  

    • more than 250 employees;
    • turnover of more than £36 million; and/or
    • a balance sheet total of more than £18 million.

    The base fraud offences cover existing common law and statutory fraud, in addition to offences related to false accounting:

    • Fraud by false representation (section 2 Fraud Act 2006).
    • Fraud by failing to disclose information (section 3 Fraud Act 2006).
    • Fraud by abuse of position (section 4 Fraud Act 2006).
    • Obtaining services dishonestly (section 11 Fraud Act 2006).
    • Participation in a fraudulent business (section 9 Fraud Act 2006).
    • False statements by company directors (section 19 Theft Act 1968).
    • False accounting (section 17 Theft Act 1968).
    • Fraudulent trading (section 993 Companies Act 2006).
    • Cheating the public revenue (common law).

    It is a defence for a company to prove that it had reasonable prevention procedures in place at the time the fraud was committed, or that it was reasonable for no procedures to be in place.  The Guidance provides a framework for companies to consider when implementing fraud prevention procedures.

    FTPF Offence goes live in Q3 2025

    The Government has confirmed that the FTPF Offence will come into force on 1 September 2025. 

    The nine-month implementation period is longer than the six months previously proposed which indicates the Government's view of the level of work required for companies to assess fraud risk and implement or uplift fraud compliance programmes. 

    The Six Principles to follow for implementing fraud prevention procedures

    The Guidance uses the familiar six principles (from existing failure to prevent offences) as a framework for companies implementing fraud prevention procedures.

    1. Top level commitment 

    The Guidance refers to the level of senior governance, communication and oversight in relation to fraud prevention as a key indicator of an effective compliance programme. 

    Building on previous failure to prevent guidance, leadership are expected to take verifiable steps to instil an anti-fraud culture in their organisations, which are supported by consistent messaging to employees and third parties.  In this respect, communication of culture alone (e.g. through company mailshots, townhalls or newsletters) may not be sufficient to demonstrate that senior leadership is committed to fraud prevention. 

    The Guidance provides the following (non-exhaustive) examples of what a top-level commitment from leadership might look like:

    • Senior leadership should actively articulate the business benefits of rejecting fraud (e.g. reputational, counterparty confidence) and the consequences for individuals or entities that breach fraud policies.
    • The Board should be updated on fraud compliance as part of routine compliance updates and oversight. The Guidance suggests that a company's Head of Ethics and Compliance (or a similar person) has direct access to the Board or CEO, even if day-to-day reporting lines are to another senior leader or committee.
    • The Board should commit "reasonable and proportionate" budget for the leadership, staffing and implementation of fraud prevention procedures, which should include training but also technology (e.g. third party due diligence tools).

    2. Risk assessment

    A risk assessment should consider how each of the underlying offences might arise in practice, which requires detailed assessment of and input from key risk owners in the business (e.g. Marketing, Finance, and Sales).   

    The Guidance suggests that risk assessments are approached through a "fraud triangle" looking at: (i) opportunity, (ii) motive and (iii) rationale of associated persons to commit fraud.  Fraud risk assessments should take an inside-out view of risks, focusing on the employees and third parties working for and on behalf of the business. 

    The Guidance makes it clear that risk assessments must be reviewed regularly to ensure they remain fit for purpose and demonstrate that the procedures in place at the time of the fraud are reasonable.  The frequency of review should be based on the size and risk profile of the business, but all companies should consider whether external factors should trigger an earlier or partial review (e.g. acquisitions, expansion of business areas).       

    Fraud risk may also increase during emergencies, so companies should consider how risk assessment findings are built into business continuity plans and disaster plans. 

    3. Risk-based prevention procedures 

    The Guidance states that is not necessary to duplicate existing work as many large companies will already be subject to existing regulations that require controls to mitigate the risk of fraud.  The Guidance warns, however, that compliance with other frameworks may not be sufficient, on its own, to constitute reasonable prevention procedures for the FTPF Offence. 

    Companies should therefore review existing anti-fraud processes and controls to ensure they capture the full range of offences captured by the FTPF Offence and are calibrated to prevent fraud for the benefit of the company and its clients.  It is important that companies can demonstrate they have reviewed policies and procedures in response to the FTPF Offence, even where it is deemed that existing controls are sufficient or it is reasonable not to introduce measures for a specific risk. 

    When assessing existing policies and procedures, the following points in the Guidance should be considered:

    • A fraud prevention plan should be prepared that details the proportionate fraud prevention procedures that will be implemented in response to the risk assessment.
    • Companies should take a holistic approach to fraud prevention procedures, which should include sanctions or disciplinary measures for individuals or entities that commit fraud.
    • Fraud prevention procedures should be informed by sector-specific guidance (where available) and information in the public domain. In particular, companies should consider case law, regulatory enforcement decisions and published information from industry bodies (such as Cifas and the Fraud Advisory Panel) to inform their approach to anti-fraud measures.

    Testing of controls is also a key factor in demonstrating that they were reasonable at the time a fraud is committed.  The Guidance notes that companies can rely on existing requirements to test controls (where relevant) and need not duplicate testing solely to demonstrate reasonable prevention procedures for fraud (e.g. premium listed companies are required to review and monitor material controls and from 1 January 2026 will be expected to declare the effectiveness of these controls under the UK Corporate Governance Code).   

    4. Due diligence

    Due diligence on employees and third party contracts should be refreshed (where necessary) to take account of the broad range of underlying offences that will attract corporate criminal liability. 

    • The Guidance notes that applying existing procedures tailored to another risk will not necessarily be adequate to address the risk of fraud in a business.
    • Fraud risk may be built into existing diligence processes and conducted either internally or externally, based on the scale of the identified risk.
    • Due diligence should also be conducted in relation to the culture of an organisation, as the Guidance suggests that employee wellbeing should be monitored to identify individuals who may be more likely to commit frau
    • There is an expectation that companies assess a target's exposure to fraud risk in M&A transactions and fraud prevention measures should be integrated post-acquisition.

    5. Communication (including training) 

    Communication and training are key to ensuring that fraud prevention measures are embedded in a company.  The Guidance sets very specific expectations on how companies should ensure that all staff have an understanding of the FTPF Offence and their responsibilities, including how to report concerns. 

    • Tone from the top messaging from leadership must have a practical impact. Communications from senior leadership will not be sufficient if there is a practice of disregarding policies and procedures by middle management and junior employees.
    • Companies should also consider whether fraud messaging should be built into other policies to emphasise the scenarios in which employees should be alert to fraud risk (for example, policies related to sales targets, marketing or third party diligence).
    • It is crucial that fraud training covers the wide range of base fraud offences so employees and associated persons can adequately identify fraud risks where they arise.
    • Bespoke, targeted training should be delivered to those in higher-risk functions (e.g. Finance, ESG, Investor Relations, and Sales) so they can identify fraud risk and report it.

    The Guidance emphasises the importance of whistleblowing as a key part of an effective compliance programme.  There is now an expectation for companies to have appropriate whistleblowing arrangements in place, including organisations that do not have a regulatory requirement to have whistleblowing processes.  

    6. Monitoring and review 

    Companies should consider how effective existing controls are for identifying and managing fraud risk and identify risk owners responsible for monitoring and reporting on fraud compliance. 

    • The Guidance suggests companies take a holistic view to monitoring fraud prevention measures that goes further than looking only at anti-fraud controls. In particular, companies should also assess the effectiveness of whistleblowing procedures, data analytics tools and processes to detect unauthorised access or manipulation of data as a means of detecting attempting fraud.
    • The Guidance notes that effective monitoring also includes reviewing arrangements to investigate suspected fraud. This is a wider view than previous failure to prevent guidance, which focused on the review of prevention procedures.
    • Companies should ensure that internal stakeholders or teams responsible for investigating fraud are appropriately resourced and empowered. Investigations of attempted fraud should be independent with processes in place to report findings to the Board and communicate key learnings to the company.
    • Like risk assessments, companies should consider whether external factors trigger a review of fraud prevention measures (in addition to routine or interval-based reviews). For example, in response to an audit, identified criminal conduct by associated persons or following an acquisition or business reorganisation.
    • The Guidance suggests companies use external data to review prevention procedures, including advice from legal or accountancy bodies, previous prosecutions or enforcement decisions and the work of trade bodies. In this respect, companies should consider whether their controls are reasonable relative to their sector and peers, in addition to the specific profile of their business.

    Priority actions in preparation for September 2025

    It will be critical that companies use the nine-month implementation period carefully, to assess their risk of, and their response to, each fraud offence, according to the specific profile and activities of their business.  There should be clear and robust governance for this work with oversight from designated senior stakeholders.  

    Risk assessment is emphasised as a crucial starting point for any business in designing its procedures.  Leveraging existing procedures and targeting focussed areas to uplift, will be key to ensuring compliance, while minimising the overall burden imposed by the new offence.  

    All staff should have an understanding of the FTPF Offence and their responsibilities, including how to report concerns.  Bespoke, targeted training should be provided to those in higher risk functions or roles.  

    Please contact Ashurst's Corporate Crime & Investigations team if you would like to discuss any aspect of the FTPF Offence.  

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts