In our previous update, we advised that the UK Government had published the long-awaited guidance on the failure to prevent fraud offence (the "Guidance"). The offence, which was introduced by the Economic Crime and Corporate Transparency Act 2023 ("the 2023 Act"), will now come into force on 1 September 2025.
As explained in previous updates, organisations within the scope of the offence will be able to establish a defence if they can show that they had "reasonable prevention procedures" in place to mitigate against the risk of fraud being committed by "associated persons". "Associated persons" is a defined term and includes employees, subsidiaries and agents. The onus is on the organisation to prove that it had such procedures in place at the time the fraud was committed.
What are "reasonable prevention procedures"?
Section 199(5) of the 2023 Act provides that reasonable prevention procedures means "procedures designed to prevent persons associated with the body from committing fraud offences". The Guidance supplements the 2023 Act by providing further information on what is meant by "reasonable preventions procedures".
The Guidance provides that fraud prevention procedures should be informed by six principles – you may recognise these principles from the UK Government's Bribery Act 2010 Guidance. In this update we consider the principles in more detail and set out what the Guidance says organisations must do to ensure compliance.
Principle 1: Top level commitment
The Guidance notes that responsibility for the prevention and detection of fraud lies with the leadership of an organisation. Directors, partners and senior management, should be committed to preventing associated persons from committing fraud. They should foster a zero-tolerance culture towards fraud. This can be demonstrated by:
- Communication of the organisation's stance on preventing fraud;
- Ensuring there is clear governance across the organisation in relation to its fraud prevention framework;
- Commitment to training and resourcing; and
- Leading by example and fostering a culture whereby employees feel able to speak up about fraudulent practices.
Principle 2: Risk assessment
Given the similarity of the failure to prevent fraud offence to other "failure to prevent" offences (such as failure to prevent bribery and failure to prevent the facilitation of tax evasion), an organisation may be able to adapt existing risk assessments prepared for those purposes to encompass fraud risk.
The Guidance contains step by step instructions on how to approach a fraud risk assessment. This should start by identifying the types of associated persons who may present a risk of fraud (for example, agents, contractors, and employees in high-risk roles). It should then consider the range of circumstances in which these associated persons may present fraud risks. In doing so an organisation should consider the three elements of the "fraud triangle" – (1) opportunity to commit fraud; (2) motivation to do so; and (3) rationalisation after the fact. The Guidance sets out questions to consider in respect of each aspect of the fraud triangle.
Risks identified through this process should be classified by considering both likelihood and impact.
The risk assessment should be kept under review – and the Guidance suggests an annual or bi-annual review.
Principle 3: Proportionate risk-based prevention procedures
The Guidance underlines the need for an organisation's fraud prevention procedures to be proportionate to the risks it faces and the nature, scale and complexity of its activities.
What is reasonable for any given organisation will turn on the level of control and supervision it is able to exercise over an "associated person" acting on its behalf, and the proximity to that person. For example, an organisation is likely to have greater control over an employee than a third party performing services on its behalf.
An organisation should also be mindful that the offence can have extra-territorial effect where there is a "UK nexus". Leaders should therefore consider whether fraud prevention procedures ought to encompass "associated persons" beyond the UK, such as other group companies and their employees. It will be relevant to consider, in this context, the level of control and supervision that the organisation has over non-UK associated persons and whether local laws will be relevant to implementing fraud prevention procedures.
Where it is not appropriate or not possible to put certain fraud prevention procedures in place, organisations should document the decision that has been taken and the rationale for it, and this should be kept under review.
Principle 4: Due diligence
An organisation should conduct due diligence on its associated persons in order to mitigate the fraud risks it has identified as part of its risk assessment. While many organisations will already have established due diligence procedures in place, these must be tailored to ensure they encompass the fraud risks the organisation has identified.
Due diligence on associated persons may involve a range of steps, including:
- Use of technology (e.g. screening and vetting tools);
- Reviewing contracts with service providers to add provisions (1) requiring associated persons to comply with relevant legislation, policies and procedures; and (2) enabling the organisation to terminate the contract in the event of a breach.
- Monitoring of associated persons to identify any increased risk of fraud.
Principle 5: Communication (including training)
The Guidance explains that communication on fraud prevention procedures is important to ensure these are embedded and understood within the organisation.
The organisation's policy against fraud should be clearly set out, and messaging around this should be consistent across all levels of the organisation. Organisations should also consider integrating fraud messaging into their existing policies and procedures.
Training is identified as the key action here. The Guidance recommends that organisations deliver proportionate training, in particular to those in higher-risk roles, on the failure to prevent fraud offence and the prevention procedures the organisation has put in place.
The Guidance also states that organisations should have whistleblowing procedures in place to prevent fraud.
Principle 6: Monitoring and review
The Guidance sets out that monitoring will include three elements: (1) detection of fraud and attempted fraud; (2) investigations; and (3) monitoring the effectiveness of fraud prevention procedures.
Fraud detection and investigation measures should be targeted at identifying and investigating both frauds against the organisation, and wider frauds that may be intended to benefit the organisation or its clients. The Guidance provides a list of relevant questions for organisations to ask themselves in detecting and investigating fraud.
Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped, and legally compliant. The Guidance explains that investigations should be fair to all parties and identifies the importance of seeking legal advice in connection with the conduct of investigations.
The Guidance also notes the importance of organisations taking steps to review their fraud prevention procedures in response to changes in the nature of risks that they face, which will evolve over time.
What do organisations need to do now?
The failure to prevent fraud offence comes into force on 1 September 2025. Organisations should take steps now to update existing policies and procedures to specifically address fraud prevention. It will be important to keep a clear record of all decisions made to respond to the requirements of the 2023 Act in order to evidence compliance with the legislation, and therefore to establish a defence in the event of a future investigation or prosecution for failure to prevent fraud.
This blog is a part of our series of blogs on the changes introduced by the 2023 Act. Further content on the 2023 Act can be found here – including our recent blog on the ID verification requirements being introduced under the 2023 Act.
We will continue to monitor progress with the entry into force of the failure to prevent fraud offence, and publish further updates in due course. If you have any questions about how the 2023 Act may apply to your business or the steps you can take to get ready, please do not hesitate to contact our Corporate Crime and Investigations team.