New UK Guidance on the Corporate Offence of Failing to Prevent Fraud

What is the new offence of failing to prevent fraud?

Under the UK Economic Crime and Corporate Transparency Act (ECCTA), an organization may be criminally liable where an employee, agent or other ‘associated person’, commits fraud intending to benefit the organization and the organization did not have reasonable fraud prevention procedures in place. It does not matter whether directors or senior managers ordered or knew about the fraud.

The offence will make it easier to hold organizations accountable for fraud committed by employees, or other associated persons, which may benefit the organization. The offence should also encourage organizations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

What types of Fraud are covered by the offence?

The offence of failure to prevent fraud applies to a number of specific “base fraud” offences committed by a ‘person associated with the relevant body’. They include: 

• Fraud by false representation (section 2 Fraud Act 2006);
• Fraud by failing to disclose information (section 3 Fraud Act 2006);
• Fraud by abuse of position (section 4 Fraud Act 2006);
• Participation in a fraudulent business (section 9, Fraud Act 2006);
• Obtaining services dishonestly (section 11 Fraud Act 2006);
• Cheating the public revenue (common law); and
• Fraudulent trading (section 993 Companies Act 2006)

What is an “associated person”?

An employee, an agent or a subsidiary of the relevant body is automatically an ‘associated person’ for the purposes of the Act. A person who provides services for or on behalf of the relevant body is also an associated person while they are providing those services.  

Are all organizations liable?

No. The offence applies to large, incorporated bodies and partnerships across all sectors that meet two out of the three following criteria:

• more than 250 employees;
• more than £36 million turnover;
• and/or more than £18 million in total assets.

These criteria will apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

What are the penalties?

An organization convicted of an offence of Failing to Prevent Fraud could be liable to an unlimited financial penalty. The actual level of fine imposed will depend upon the circumstances of the case, having reference to any appropriate sentencing guidelines available to the court.

Can organizations be prosecuted now?

No. The offence will come into effect nine months after the publication of this guidance, to allow organizations to develop and implement their fraud prevention procedures.

Is there a defence?

Yes. Organizations will have a defence if they can establish that they have reasonable procedures in place to prevent fraud, or if they can demonstrate that it was not reasonable for the organization to have any prevention procedures in place. The onus will be on the organization to prove that it had reasonable procedures in place to prevent fraud at the time that the fraud was committed.

Six principles of reasonable anti-fraud measures 

On November 6, the UK government issued guidance which sets out procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences.

The fraud prevention framework put in place by relevant organizations should be informed by the following six principles:

1. Top level commitment

Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organization. The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud through the following:

• communication and endorsement of the organization’s stance on preventing fraud, including mission statements;
• ensuring that there is clear governance across the organization in respect of the fraud prevention framework;
• commitment to training and resourcing; and
• leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices

2. Risk Assessment

The organization should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment ought to be dynamic, documented and kept under regular review.

3. Proportionate risk-based prevention procedures

An organization’s procedures to prevent fraud by persons associated with it will need to be proportionate to the fraud risks it faces and to the nature, and scale of the organization’s activities. They should also be clear, practical, effectively implemented and enforced.

The organization should draw up a fraud prevention plan, including procedures to prevent fraud which are proportionate to the risk identified in the risk assessment.

4. Due diligence

Organizations should conduct due diligence on associated persons, including new employees. Examples of best practice include the following:

• Using appropriate technology, eg., third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks.
• Reviewing contracts with those providing services, to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate.
• Reviewing contracts for agents.
• Monitoring the well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress or workload.

5. Communication (including training)

The organization should ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organization, through internal and external communication. Training and maintaining training are key. 

6. Monitoring and review

The nature of the risks faced by an organization will change and evolve over time. This may be as a natural result of external developments, or as a result of changes in the organization’s activities. The organization should adapt its fraud detection and prevention procedures in response to the changes in the risks that it faces. Risk assessments should be conducted at consistent intervals. Relevant organizations should also consider whether external factors should trigger an earlier review. An organization may have its review conducted by an external party or may choose to conduct an internal review.

Monitoring fraud prevention measures might include:

• monitoring of financial controls;
• collecting data on how many staff have attended fraud prevention training courses and any test results, if applicable;
• monitoring updates to procedures (for example, due diligence procedures); and
• monitoring updates to contractual clauses for associated persons

[Photo by Aurelien Chateudon on Unsplash]