The Fundraising Regulator recently announced that is has completed consulting and engaging stakeholders on its proposed new Fundraising Code of Practice (the ''Fundraising Code'' or ''Code'') which it expects to publish in early 2025, along with a timetable for implementation. Although specific updates have not been confirmed, the review to the Code aims to simplify and update the existing Code to account for changes in legislation, technology and fundraising behaviour, while also clarifying the current standards to which charities are held accountable in a clear and accessible manner.

Charities that engage in fundraising activities should prepare for the new Fundraising Code by considering the risks and responsibilities associated with fundraising in order to brush up on housekeeping and ensure good practice. In this blog, we discuss third party contracts, partnerships and outsourcing of fundraising activities, data protection and ePrivacy, cyber risk, and anonymous / cryptocurrency donations as key risks in relation to fundraising. We also consider how charities can tidy up their fundraising activities to mitigate risk and better-place themselves for the new Fundraising Code.

Third party contracts, partnerships and outsourcing

One risk for charities is the use of standard template contracts when engaging with third parties in the build up to and during a fundraising campaign or event. While template contracts can streamline the contract creation process by saving time and reducing costs, they are not always suitable, particularly for arrangements that require more customised or tailored solutions.

For example, a charity may partner with a corporate sponsor through a sponsorship agreement. This agreement should outline each party's obligations, the scope of sponsorship, payment terms, cancellation, and the extent of any trade mark or logo licenses. These elements can vary significantly between sponsors depending on business structures and the nature of the event, and more complex arrangements may require deviating from standard payment terms or standard provisions about the use of IP for promotional purposes.

A charity may also engage a coordinator to host and organise the event through an event management agreement. Whether this needs confidentiality provisions, terms to transfer or allocate risk will, again, depend on what is required in the circumstances. For example, is the event organiser the charity or the coordinator? Who is responsible for ensuring compliance with health and safety or dealing with complaints? How is money handled? Who is underwriting the cost of the event?

Exclusive events where the privacy of attendees is a sensitive matter may require confidentiality terms and events that offer entertainment may require insurance terms to ensure adequate coverage for potential risks and liabilities.

Charities should therefore consider whether they expect a standard fundraising setup, for which a template contract may be suitable, or whether they expect a more complex arrangement with personalised criteria that requires the precision and customisation of a tailored contract.

Where a template contract is used, it is prudent to ensure it is up to date. In the wake of the COVID-19 pandemic, many contracts – both template and tailored – were found to have unsatisfactory force majeure and cancellation provisions, which resulted in payment issues. To avoid uncertainty, it is good practice for charities to review and update templates to ensure they address current risks and offer adequate protections.

Data protection and ePrivacy

Another risk for charities arises from data protection and ePrivacy laws. The UK General Data Protection Regulation and Data Protection Act 2018 (UK Data Protection Laws), and the Privacy and Electronic Communications Regulations 2003 (ePrivacy Rules) set out rules for how organisations can collect, store and use individuals' personal information and how they can issue marketing communications, which charities may do in the course of taking donations, contacting supporters and communicating with prospective contributors.

UK Data Protection Laws require that charities have a lawful basis for processing data, ensuring data accuracy, and implementing security measures to protect information. Charities must also provide individuals with the ability to access their data and have it rectified and deleted. Importantly, charities must collect personal data in a fair and transparent manner and ensure that their privacy notices specify how, why and what data is being collected.

The ePrivacy Rules sit alongside UK Data Protection Laws and regulate electronic marketing and the use of cookies and tracking on webpages among other things. In short, these rules require charities to have prior consent for the purposes of (i) issuing electronic marketing (e.g., emails or SMS), (ii) engaging in non-essential tracking and (iii) sending automated calling messages. Charities cannot rely on the so-called "soft opt-in" that is available to commercial traders.

The Fundraising Regulator already emphasises the importance of charities meeting their general data protection law and electronic marketing obligations at section 3 of the Code in its current form. These rules can easily be breached during fundraising campaigns if charities are not fully aware of their responsibilities and obligations. It is therefore important for charities to ensure they understand and keep up to date with their obligations under UK Data Protection Laws and ePrivacy Rules to ensure compliance.

Cyber risk

Cyber risk is an increasing issue for all organisations, including charities, with the Charity Commission for England and Wales recently reporting it opened 603 cases relating to fraud and a further 99 cases relating to cyber crime issues in the last year. This relates to any exposure to harm or loss that might arise from breaches or attacks on IT systems and extends broadly beyond personal data breaches to disrupting the operations of an organisation. It can impact on email systems, or customer relationship management systems, file storage or other internal operational systems.

Cyber risk can take a range of forms. For example, opportunists may exploit weak security systems, cybercriminals may target charities with direct attacks (e.g., phishing attacks, malware, social engineering), or third party systems used by an organisation may suffer from these issues.

Reputational damage from insecure systems can affect charities significantly as donors and supporters may be less likely to offer their support if they are unsure about the security of their data. The day to day operations of a charity can also be disrupted due to the loss of systems and data. Financial costs can also be incurred as a result of any clean-up that is required, putting in place work arounds or from potential claims from affected individuals.

To mitigate cyber risks, charities should train staff to understand the systems they have in place and consider what steps should be taken to ensure their security and carry out robust diligence on third party service providers. This will help limit the likelihood of a breach or attack occurring. Furthermore, preparing and implementing a business continuity plan and incidence response plan will help address and recover from unexpected disruptions and minimise any downtime.

Anonymous donations and cryptocurrencies

While charities have long faced the risk of receiving fraudulent or illicit funds, this risk has evolved in the digital age with the emergence of anonymous and less traceable forms of money, namely cryptocurrencies. The Charity Commission recently issued guidance advising charities to asses anonymous forms of donations and apply adequate safeguards.

Unlike traditional forms of money, such as cash and bank transfers, cryptocurrencies are less regulated, more difficult to trace and more easily able to obscure the source of funds, making it difficult to verify the origins and legitimacy of donations.

Accepting unverified cryptocurrency donations which are linked to fraudulent or illegal activities can lead to compliance issues and reputational damage for charities as this can result in a breach of anti-money laundering laws, association with illegal activities and a lack of trust in charities as an institution.

Donor due diligence is a key aspect of funds risk management, which section 2.3.3 of the Code in its current form requires charities to carry out, appropriate for the size and nature of the donation, before accepting donations. This aims to ensure that donations are legitimately sourced. The donor due diligence process involves conducting checks and verifying the background and identities of donors in line with anti-money laundering rules to mitigate the risk of accepting money from persons associated with illegitimate activities.

The anonymity and regulatory uncertainty of cryptocurrencies may make donor due diligence more challenging, so charities should be on alert and always verify donor identities. Educating staff on the risks and consequences of accepting unverified funds should also be prioritised as a mitigation strategy. Additionally, preparing clear cryptocurrency donation policies and partnering with reputable cryptocurrency exchanges may help mitigate the risk of unsourced crypto donations from flowing through.

Good housekeeping

To fundraise effectively, charities must keep up to date with market developments so they can assess the level of risk associated and make the necessary commercial adjustments. By assessing third party contracts on their own individual merit, charities can mitigate the risk associated with contracts that do not properly deal with the risks or are unfit for the intended purpose. By reviewing their data protection and ePrivacy obligations and considering cyber threat, charities can address the risk of data breaches and ensure the security of sensitive information and systems.

Furthermore, by reinforcing donor due diligence practices, charities can reduce the likelihood of receiving unverified donations.

Ultimately, identifying commercial risks and taking precautionary measures allows charities to minimise risk and doing so will allow them to position themselves optimally in advance of the new Fundraising Code.

If you have any questions about the issues raised in this blog, please contact Martin Sloan or your usual Brodies contact.

Contributors

Ussamah Nasar

Solicitor

Martin Sloan

Partner

Rachel Lawson

Associate