The Guidance to organisations on the offence of failure to prevent fraud, (the Guidance), introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) has finally been published by the U.K. Government. With it, we also learn that the offence will come into force on 1 September 2025.
In a written statement, the Government described the Guidance as “similar in structure to the guidance for the existing offences of failure to prevent bribery…and failure to prevent the criminal facilitation of tax evasion...Most organisations subject to the offence will therefore be familiar with the concepts and approach set out in the Guidance.”
The Guidance sets out good practices, provides theoretical examples and confirms the general principles for developing and enhancing procedures to prevent fraud.
Quick refresher
- The offence is intended to: ‘make it easier to hold organisations to account for fraud committed by employees, or other associated persons, which may benefit the organisation, or in certain circumstances their clients’.
- It applies to large, U.K. incorporated bodies and partnerships across all sectors (Large Organisations).
- It also applies to non-U.K. Large Organisations, provided there is a U.K. nexus.
- A Large Organisation is one which meets two of the following three criteria (in the financial year preceding the year of the base fraud offence and taking the organisation as a whole, including subsidiaries):
- more than 250 employees
- more than £36 million turnover
- more than £18 million in total assets
The fraud offences
A ‘fraud’ offence is any offence listed in Schedule 13 of ECCTA. These are referred to in the Guidance as ‘base fraud’ offences. The list can be amended by the Secretary of State and includes aiding, abetting, counselling or procuring any of the base fraud offences.
It is important to note that the corporate offence of failure to prevent fraud is not dependent on the conviction of an associated person.
There are defences available where an organisation can prove that, at the time of an alleged offence, it either:
- had in place such prevention procedures as it was reasonable to expect; or
- had no procedures in place, as it was not reasonable to expect that it should
This is consistent with the defences available to the failure to prevent the facilitation of tax evasion offences; although contrasts with the failure to prevent bribery offence, where the additional, second form of defence is not provided for in the Bribery Act 2010.
Key takeaways in the Guidance
The Guidance is in similar terms to the existing guidance for other failure to prevent offences. It includes the “six principles” which have become familiar from the Bribery Act Guidance published in 2011.
The Guidance has incorporated principles highlighting the benefits of cooperation with law enforcement agencies. It has also emphasised the collaboration that is expected between regulators and prosecutorial bodies, where there is a possible regulatory breach and a potential failure to prevent fraud offence.
Where there is overlap with auditing requirements, it will be insufficient solely to rely on the audit for assurance as to the appropriateness of the organisation’s prevention procedures. The rationale being that an audit is not required or designed to identify all frauds or to provide a ‘reasonable procedures’ defence.
There are aspects of the Guidance specific to the failure to prevent fraud offence and we have identified these key takeaways:
-
Meaning of “intending to benefit”
- This is to be viewed from the position of the associated person.
- Conduct can be intended to benefit the organisation, even if the organisation would be required to reimburse the proceeds of the fraud.
- An intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud.
- The intended benefit may be financial or non-financial.
-
Meaning of “victim of the fraud”
- An organisation is a “victim of the fraud” where the loss caused or intended would be borne by the organisation, or the fraud was committed with the intent to harm the organisation.
- An organisation is not a victim where the harm suffered is indirect.
-
Territoriality – U.K. Nexus
- The base fraud offence must be an offence under U.K. law.
- This requires a U.K. nexus, i.e. one of the acts forming part of the offence occurred in the U.K., or the gain or loss occurred in the U.K.
- No offence is committed by an organisation, including a U.K. organisation, whose overseas employees or subsidiaries commit an offence with no U.K. nexus.
-
Reasonable Prevention Procedures
- A parent company can take steps to prevent fraud by subsidiaries, for example by implementing group level policies and training, ensuring there is a nominated person responsible for fraud prevention in each subsidiary.
- For groups based outside the U.K., whether it is appropriate to have group wide policies could depend on the type of activities in the U.K. which may give rise to fraud risks.
- Different policies for overseas employees and associated persons may be expected.
- Reasonableness of procedures should take into account the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf.
- Establishing the reasonableness of a decision not to introduce measures in response to a particular risk will almost inevitably require proof that a risk assessment was conducted and identification of the individual who authorised that decision; this is similar to the guidance for the offence of failure to prevent the facilitation of tax evasion.
- Particularly for regulated sectors, to avoid the duplication of work, organisations are advised to assess whether existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent any fraud risks identified in a risk assessment carried out for the purposes of the new failure to prevent fraud offence.
