Failure to prevent fraud: key insights from UK government guidance
11 November 2024
11 November 2024
On 6 November 2024, the UK Government published its guidance (the Guidance) on the new "failure to prevent fraud" offence (the FTPF Offence). This briefing summarises the key elements of the Guidance and our thoughts on how companies should approach the implementation of fraud prevention procedures.
Introduced as part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), the FTPF Offence is the first notable expansion of UK corporate criminal liability since the introduction of failure to prevent offences for bribery and the facilitation of tax evasion under the Bribery Act 2010 and Criminal Finances Act 2017 respectively.
Companies will be criminally liable where an "associated person" commits a base fraud offence, with the intention to benefit the organisation, or any person who receives services from the company. A company will not commit the offence if it is the target or victim of the intended fraud.
The FTPF Offence will only apply to large organisations which are defined under ECCTA as companies which satisfy two or more of the following conditions:
The base fraud offences cover existing common law and statutory fraud, in addition to offences related to false accounting:
It is a defence for a company to prove that it had reasonable prevention procedures in place at the time the fraud was committed, or that it was reasonable for no procedures to be in place. The Guidance provides a framework for companies to consider when implementing fraud prevention procedures.
The Government has confirmed that the FTPF Offence will come into force on 1 September 2025.
The nine-month implementation period is longer than the six months previously proposed which indicates the Government's view of the level of work required for companies to assess fraud risk and implement or uplift fraud compliance programmes.
The Guidance uses the familiar six principles (from existing failure to prevent offences) as a framework for companies implementing fraud prevention procedures.
The Guidance refers to the level of senior governance, communication and oversight in relation to fraud prevention as a key indicator of an effective compliance programme.
Building on previous failure to prevent guidance, leadership are expected to take verifiable steps to instil an anti-fraud culture in their organisations, which are supported by consistent messaging to employees and third parties. In this respect, communication of culture alone (e.g. through company mailshots, townhalls or newsletters) may not be sufficient to demonstrate that senior leadership is committed to fraud prevention.
The Guidance provides the following (non-exhaustive) examples of what a top-level commitment from leadership might look like:
A risk assessment should consider how each of the underlying offences might arise in practice, which requires detailed assessment of and input from key risk owners in the business (e.g. Marketing, Finance, and Sales).
The Guidance suggests that risk assessments are approached through a "fraud triangle" looking at: (i) opportunity, (ii) motive and (iii) rationale of associated persons to commit fraud. Fraud risk assessments should take an inside-out view of risks, focusing on the employees and third parties working for and on behalf of the business.
The Guidance makes it clear that risk assessments must be reviewed regularly to ensure they remain fit for purpose and demonstrate that the procedures in place at the time of the fraud are reasonable. The frequency of review should be based on the size and risk profile of the business, but all companies should consider whether external factors should trigger an earlier or partial review (e.g. acquisitions, expansion of business areas).
Fraud risk may also increase during emergencies, so companies should consider how risk assessment findings are built into business continuity plans and disaster plans.
The Guidance states that is not necessary to duplicate existing work as many large companies will already be subject to existing regulations that require controls to mitigate the risk of fraud. The Guidance warns, however, that compliance with other frameworks may not be sufficient, on its own, to constitute reasonable prevention procedures for the FTPF Offence.
Companies should therefore review existing anti-fraud processes and controls to ensure they capture the full range of offences captured by the FTPF Offence and are calibrated to prevent fraud for the benefit of the company and its clients. It is important that companies can demonstrate they have reviewed policies and procedures in response to the FTPF Offence, even where it is deemed that existing controls are sufficient or it is reasonable not to introduce measures for a specific risk.
When assessing existing policies and procedures, the following points in the Guidance should be considered:
Testing of controls is also a key factor in demonstrating that they were reasonable at the time a fraud is committed. The Guidance notes that companies can rely on existing requirements to test controls (where relevant) and need not duplicate testing solely to demonstrate reasonable prevention procedures for fraud (e.g. premium listed companies are required to review and monitor material controls and from 1 January 2026 will be expected to declare the effectiveness of these controls under the UK Corporate Governance Code).
Due diligence on employees and third party contracts should be refreshed (where necessary) to take account of the broad range of underlying offences that will attract corporate criminal liability.
Communication and training are key to ensuring that fraud prevention measures are embedded in a company. The Guidance sets very specific expectations on how companies should ensure that all staff have an understanding of the FTPF Offence and their responsibilities, including how to report concerns.
The Guidance emphasises the importance of whistleblowing as a key part of an effective compliance programme. There is now an expectation for companies to have appropriate whistleblowing arrangements in place, including organisations that do not have a regulatory requirement to have whistleblowing processes.
Companies should consider how effective existing controls are for identifying and managing fraud risk and identify risk owners responsible for monitoring and reporting on fraud compliance.
It will be critical that companies use the nine-month implementation period carefully, to assess their risk of, and their response to, each fraud offence, according to the specific profile and activities of their business. There should be clear and robust governance for this work with oversight from designated senior stakeholders.
Risk assessment is emphasised as a crucial starting point for any business in designing its procedures. Leveraging existing procedures and targeting focussed areas to uplift, will be key to ensuring compliance, while minimising the overall burden imposed by the new offence.
All staff should have an understanding of the FTPF Offence and their responsibilities, including how to report concerns. Bespoke, targeted training should be provided to those in higher risk functions or roles.
Please contact Ashurst's Corporate Crime & Investigations team if you would like to discuss any aspect of the FTPF Offence.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.