Articles

Failure to Prevent Fraud Offence – Home Office Guidance Update

Picture of James Gliddon

By James Gliddon, Ben Hay, Gena Ritchie, Billy Blackall, Tom Bradley

7 Nov 2024 | 3 minute read
London - parliament - Big Ben - policy - government

On 6 November 2024, the Home Office published its guidance ("Guidance") on the ‘Failure to Prevent Fraud’ offence ("FTP Offence"). Consequently, following the 9 month implementation period, the FTP Offence will come into force on 1 September 2025. From that point, large organisations can be liable for up to an unlimited fine if they benefit (or are intended to benefit) from the fraud of an "associated person".

This brings to an end lingering uncertainty as to the two new fraud offences created by the Economic Crime and Corporate Transparency Act 2023 ("ECCTA").

Background

To recap briefly:

  • ECCTA received Royal Assent in October last year and amongst measures to reduce fraud facilitated by the UK's open corporate regime, it introduced (a) the FTP Offence (s199 ECCTA) and (b) the attribution of criminal liability to organisations for the acts of their "Senior Managers" (s196 ECCTA).

    You may recall our previous articles and briefings on this (here and here) which provided an analysis of those two key new fraud-related offences.

  • A failure to prevent fraud offence was a key recommendation of the House of Lords Fraud Act 2006 and Digital Fraud Committee's report – Fighting Fraud: Breaking the Chain, published in November 2022. The form of the offence was then subject to significant debate between the Commons and the Lords over its precise scope and application as ECCTA made its Parliamentary progress.

  • The FTP Offence provides that large organisations may be liable for failing to prevent fraud in the event that one of the fraud offences (set out in Schedule 13 ECCTA), is committed by an employee, agent, subsidiary, or other “associated person” intending to benefit the organisation. In certain circumstances, the offence will also apply where the fraud offence is committed with the intention of benefitting a client of the organisation.

  • The large organisation will have a defence if it had reasonable procedures in place to prevent fraud (the "Defence").

The Guidance

The publication of the Guidance was a key step before the FTP Offence could come into effect.

Whilst the Guidance (found here) assists organisations in understanding what "reasonable" fraud prevention procedures may look like for them, understandably, it is not prescriptive nor does it provide a blueprint to follow.

What are reasonable measures will vary from organisation to organisation and depend on their particular circumstances, for example, their size/complexity and the markets in which they operate. It is very unlikely that, for complex organisations, simply having an anti-fraud policy will be sufficient.

The Guidance suggests that organisations will need an anti-fraud culture in order to have the best chance of relying upon the Defence.

Further, the Guidance recognises its limited scope for the sector-specific nuance, which our research into organisations' preparedness (here) suggested was needed. Whilst sector-specific guidance is envisaged, none is yet available. Therefore, organisations should adopt a holistic and proactive approach to ensure effective preparation and the pervasive anti-fraud culture expected.

The Guidance helpfully highlights the following key aspects of the FTP Offence:

  • The FTP Offence applies to large, incorporated bodies and partnerships across all sectors of the economy. The Guidance provides further explanatory detail of what is meant by “large organisations” and “incorporated bodies and partnerships”. It also confirms that the relevant criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.
  • The FTP Offence applies to a number of specific fraud offences, which the Guidance refers to as ‘base fraud’ offences. These are listed in Schedule 13 of ECCTA. Aiding, abetting, counselling, or procuring the commission of any of the listed offences would also qualify as a base fraud offence (section 199(6)(b)).
  • An associated person may or may not be under contract to the relevant body, and small organisations may be “associated persons” while they provide services for or on behalf of large organisations.
  • An organisation does not need to receive any benefit for the offence to apply – since the fraud offence can be complete before any gain is received. It is enough that the organisation was intended to be the beneficiary. Examples may include dishonest sales practices, the hiding of important information from consumers or investors, or dishonest practices in financial markets.

The above is a non-exhaustive list of the overview in the Guidance, which we would encourage all organisations (large and small) to consider it in light of their own fraud risk assessment.

The Guidance sets out that the fraud prevention framework put in place by relevant organisations should be informed by the following six principles, which are intended to be flexible and outcome-focussed:

  • Top level commitment: The Guidance sets out that the responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation.
  • Risk assessment: Organisations should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence.
  • Proportionate risk-based prevention procedures: An organisation’s procedures to prevent fraud by persons associated with it should be proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. They should also be clear, practical, accessible, effectively implemented and enforced.
  • Due diligence: Organisations should apply due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.
  • Communication (including training): Organisations should seek to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication (and appropriate whistleblowing arrangements should also be in place).
  • Monitoring and review: An organisation should monitor and review its fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.

Whether or not an organisation has appropriate fraud prevention measures in place will be fact-sensitive and the onus will be on the organisation to prove that it did indeed have such procedures in place (the standard of proof being the balance of probabilities).

The Guidance also outlines examples of where and how the new regime overlaps with the UK’s existing legislative and regulatory landscape:

  • Firstly, the Guidance recognises that the common law offence of “cheating the public revenue”, which is one of the base fraud offences, is also one of the base offences caught by the offence of failure to prevent facilitation of tax evasion in the Criminal Finances Act 2017. However, whilst the base offence remains the same for both failure to prevent offences, the Guidance explains that an organisation’s existing procedures to prevent the criminal facilitation of tax evasion may not be sufficient on their own as the offences serve different purposes and the new offence covers a wider scope in terms of who can commit the offence of “cheating the public revenue”.
  • Secondly, given that organisations falling within the scope of the FTP Offence are generally subject to auditing requirements, the Guidance makes clear that whilst audits may be useful in identifying certain potential fraud risks, they cannot sufficiently guard against an accusation of failure to prevent fraud. As a result, the Guidance recommends that organisations do not solely rely on the auditing process to provide them with assurance in respect of their fraud prevention and detection controls.
  • Lastly, the Guidance clarifies that for listed companies whose board’s report on an organisation’s principal risks and controls under the UK Corporate Governance Code (the “Code”), there is no need to duplicate work where these concern fraud risks identified in the assessment for the failure to prevent fraud. That said, although compliance with the Code may contribute to an organisation’s defence of “reasonable procedures” in the context of the FTP Offence, on its own it is not sufficient to constitute that defence in practice.

Next Steps

Organisations (including those that do not currently meet the required threshold of a large organisation) should be taking steps to adopt reasonable fraud prevention measures in line with the Guidance.

Large organisations should be undertaking fraud risk assessments in order to design appropriate measures, not just to avoid being criminally liable under the FTP offence (and the unlimited fines and reputational damage that comes with it) but to minimise the wider risk of fraud.

However, we also encourage other organisations (outside of the large organisation definition) to undertake a similar exercise particularly as fraud is more prevalent than organisations often realise. Our own research found that 45% of organisations had a fraud incident in the preceding 12 months. Whilst smaller organisations may be out of scope of the FTP Offence the losses, reputational damage and risk that they find themselves facing fraud-based claims brought by third parties are potentially existential.

Finally, all organisations (large and small) should be alive to the current risk of the changes to the corporate attribution regime - meaning, since 26 December 2023, they can be liable for fraud committed by any senior managers in their organisation. Please see our previous articles and briefings in this regard (linked below).

Contact our fraud specialists to discuss:

  • Your organisation's fraud risk and response to fraud.

  • The types of measures that organisations should be adopting based on their specific circumstances.

  • Our fraud prevention accelerator workshops (to quickly upskill key areas of the business).

  • Fit for purpose anti-fraud policies, procedures and monitoring (and how to create the all-important anti-fraud culture).

You can read our thought leading research into preparedness published here: Fraud prevention and response survey: A unique insight into corporate attitudes and readiness.

Key contacts

Insights & News