The New Failure to Prevent Fraud Offence: Are you prepared?

The UK Fraud Strategy 2023 reported that fraud represents 41% of all crime committed in the UK and with the Association of Chartered Fraud Examiners Report to the Nations 2024 estimating that the average organisation loses 5% of its annual revenue to fraud each year, fraud is very much on the board agenda.

By introducing the new offence of ‘failure to prevent fraud’ as part of the Economic Crime and Corporate Transparency Act, the Government is trying to close some of the loopholes used by organisations to avoid prosecution and improve fraud detection. Fraud can have devastating consequences for not only individuals but also businesses, employees, shareholders and other stakeholders. Businesses should always ensure they have robust fraud prevention and detection measures in place to protect their interests and those of their stakeholders. Failure to do so can now also lead to an unlimited fine.

Why make it easier to prosecute organisations for failing to prevent fraud?

The ECCTA has significantly altered the landscape for corporate criminal liability in relation to fraud. In addition to introducing the new failure to prevent fraud offence it also revises the traditional identification doctrine. This means that authorities, including the SFO, can hold organisations accountable for the commission of fraud by Senior Managers as well as their “directing mind and will.

The "directing mind and will" of an organisation typically involving top executives or board members. made prosecution challenging because these individuals are often distant from day-to-day operational decisions where fraud often occurs. It was difficult to establish liability.

Under the ECCTA, the Senior Manager Test now applies. This test broadens the range of individuals whose actions can lead to corporate liability by focusing on senior managers; those involved in management decisions.

If a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority commits a relevant offence, the organisation is also guilty of the offence.

Does the legislation apply to my business?

The failure to prevent fraud offence applies directly to large organisations in all sectors who meet two or more of the following criteria below in the year preceding the base fraud offence:

  • More than 250 employees
  • More than £36 million turnover
  • More than £18 million in total assets

These criteria apply to the whole organisation, including subsidiaries. If an employee of a subsidiary of a large organisation commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted under the Act.  Furthermore, if an employee of a subsidiary of a parent company that is a large organisation commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted under the Act. 

Exemption from the legislation should not be used as a reason to not develop and maintain effective fraud prevention and detection measures that protect your organisations from the financial and reputational consequences of fraud.

What penalties can be applied for failing to prevent fraud?

Section 199(12) of ECCTA sets out potential sanctions and sets out that certain offences could lead to in potentially unlimited financial penalties. The new failure to prevent offence is a corporate offence but prosecuting authorities may also bring prosecutions against individuals for the base fraud offences committed.

If an organisation either co-operates fully with an investigation or self-reports a full disclosure to the prosecuting authorities, this may be considered in any decision to begin criminal proceedings and the type of proceedings such prosecution or a deferred prosecution agreement.

What is meant by “intending to benefit”?

The legislation places on new focus on ‘outward fraud’ where the organisation itself benefits from fraud. It requires organisations to consider the circumstances in which frauds committed by its employees and associated persons could benefit the organisation. The organisation must consider all circumstances where fraud may be committed by employees and/or associated persons across the organisation.

It is enough that the organisation, or a client, was an intended beneficiary of the base fraud; they do not actually have to receive a benefit. In fact, benefitting the organisation does not even need to be the sole or dominant reason for the fraud. Even where the primary reason for the fraud was personal gain, the organisation could potentially benefit.

Defence of Reasonable fraud prevention procedures?

The Guidance published by the Home Office on 6 November sets out the key considerations for organisations in the development of their fraud prevention procedures. It defines six principles which should inform organisations in the development of their fraud prevention framework. These principles mirror those set out under previous corporate criminal failure to prevent offences such as bribery and the facilitation of tax evasion.

Those principles are:

  • Top level commitment
  • Risk assessment
  • Proportionate risk-based prevention procedures
  • Due diligence
  • Communication (including training)
  • Monitoring and review

If a matter proceeds to court the onus is on the organisation to prove that the procedures it had in place were reasonable to prevent the fraud as the time that the fraud was committed. The reasonableness of procedures will take into account the level of control, proximity and supervision that an organisation is able to exercise over a particular person acting on its behalf.

In limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, any decision made not to implement procedures to prevent a specific risk should be based on a risk assessment and properly documented, together with the name and position of the person who authorised that decision.

Any risk assessment should be kept under review. The frequency of review is a matter for the organisation. However, if the risk assessment has not been reviewed recently enough, a court may determine that it was not fit for purpose and therefore ‘reasonable procedures’ were not in place at the time of the fraud.

What should my organisation do now?

The Home Office has published specific guidance to support organisations in relation to the procedures deemed ‘reasonable’ in preventing fraud. Organisations should use this guidance to implement effective fraud prevention frameworks. Due to the similarity between the guidance across fraud, bribery and tax evasion, your organisation may already have a foundation in place to build out an effective fraud framework.

Nonetheless, you may wish to consider the following questions: 

  • Does your organisation have a detailed and robust Fraud Risk Assessment across the organisation and does this cover both inward and outward fraud?
  • Has your organisation identified and defined its associated persons under the scope of failure to prevent offences?
  • Are you comfortable that you have controls operating effectively to both prevent and detect fraud for all the fraud risks identified? 
  • Does your organisation’s culture help to reduce the risk of fraud and what is the quality of any fraud awareness training for your staff?
  • Does your organisation have a fraud policy, and when was it last reviewed to ensure it is in-line with current legislation and best practice?
  • How effective are your whistleblowing arrangements? Would your staff know what to look for and how to respond to suspicions of fraud?
  • How does your organisation respond to allegations of fraud? Do you carry out root cause analysis of the misconduct and implement measures to mitigate the issues?
  • Does your organisation carry out due diligence on new employees and third parties to protect your organisation from fraud committed by an “associated person”?

How we can help

Our team of fraud experts can help you to develop and operate a comprehensive fraud risk management framework including the following elements: 


Fraud Risk Assessments
We help clients conduct and refresh fraud risk assessments to identify both inward and outward fraud risk exposures and the appropriate controls.

Fraud Prevention and Detection Controls
Based on the fraud risk assessment, we help you understand whether you have the required preventative and detection controls in place. We conduct a controls gap analysis exercise and then help to remediate controls gaps and weaknesses identified. We can also assist in the identification of material fraud controls in line with the new Corporate Governance Code. 

Fraud Risk Management Frameworks
We carry out maturity assessments of fraud risk management frameworks comparing them to the COSO principles and other relevant industry guidance for combatting fraud and financial crime. Based on our analysis, we then work with you to develop a plan to enhance your fraud risk management framework so that it is tailored to your circumstances and needs.

Fraud Risk Policies
We help to review or develop fraud risk-related policies and procedures by working with you to ensure policies are practical and effective. We also help our clients implement their policies and procedures and communicate those effectively to their employees and stakeholders.

Fraud investigation and remediation
We help organisations to respond to suspected fraud incidents quickly and effectively. We both identify root causes of the fraud and develop a remediation plan to prevent future incidents. Our approach is collaborative. We will work closely with you throughout the process to ensure that you are fully informed and able to make the right decisions.

Anti-fraud Training
We deliver anti-fraud training programmes to ensure consistent awareness of the fraud risks our clients face. Training sessions can be conducted online or in-person and can vary in duration based on your needs.

Fraud Culture
We help clients foster an anti-fraud culture across their organisation by conducting fraud risk culture assessments aligned to requirements of the new Corporate Governance Code.

We would be delighted to help you and your organisation respond effectively and efficiently to the new Failure to prevent fraud offence. We can also help you address any other issues with your organisation’s fraud prevention framework. If you would like to discuss your needs, please complete the contact form below and a member of the team will be in touch.
 

Contact us

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.