On this Ropes & Gray podcast, join Amanda Raad, co-head of the firm’s global anti-corruption and international risk and crisis management & investigations practices, Nitish Upadhyaya, director of behavioral insights at the R&G Insights Lab, and Sarah Lambert-Porter, a senior attorney in the litigation & enforcement practice, as they explore the significant new "failure to prevent fraud" offence in the UK, which comes into force on September 1, 2025, and its far-reaching implications for organizations worldwide. Together, they discuss the scope of the offence, exceptions and defenses, and what companies are (and should be) doing to prepare their organizations. Even if you have just a few minutes, there is a snappy quick-fire guide at the start of the podcast to orient listeners on the key features they need to be aware of.
Transcript:
Nitish Upadhyaya: Hello, and welcome to this Ropes & Gray podcast. I’m Nitish Upadhyaya, director of behavioral insights at R&G Insights Lab. I specialize in bringing insights from human behavior and culture into the world of legal and compliance. I’m joined by Amanda Raad and Sarah Lambert-Porter, who are with us to discuss a huge development in the world of fraud offences.
Amanda Raad: I’m Amanda Raad. I am a London-based partner at Ropes & Gray who is U.S. and UK qualified. I help clients manage risk globally. I deal with crises as they come up. I deal with investigations and enforcement, whether it be in fraud or corruption, and bribery, trade compliance, money laundering, culture, you name it. What about you, Sarah?
Sarah Lambert-Porter: I’m Sarah Lambert-Porter. I’m an associate in the London office of Ropes & Gray and, like Amanda, I help out with managing risk, be that financial or non-financial through compliance counseling and interacting with regulators and authorities and through to remediation. It’s like the circle of life but for risk.
Nitish Upadhyaya: We’re going to take our listeners through the circle of life of this fraud offence, but for those of you who only have a few minutes today, we wanted to give you some highlights. So, what are we talking about here today?
Sarah Lambert-Porter: We’re talking about the new “failure to prevent fraud offence,” which is the UK’s third strict liability failure to prevent-style offence, the first being bribery and the second being tax evasion. And you know what they say: “The third time is a charm.” That’s certainly true for this new offence, because it’s a mixture of the familiar “failure to prevent” concept but it’s got some new and not immediately obvious quirks to it.
Nitish Upadhyaya: Sounds big and potentially different to what people have seen before. When does it come into force?
Sarah Lambert-Porter: First of September 2025.
Nitish Upadhyaya: That’s super soon. It sounds like just a UK offence, right?
Amanda Raad: I love that you said “UK,” Nitish. It is a failure to prevent UK offence, but the reach is actually very far. The jurisdictional requirements require only a limited nexus to the UK, and so, there’s exposure that goes really globally.
Nitish Upadhyaya: So, something not any global corporations can really ignore. What’s the best risk mitigation strategy?
Sarah Lambert-Porter: The first and most critical step is to carry out a decent risk assessment and then to use that to identify how you should supplement your existing compliance framework of policies and procedures to address that risk that you’ve identified, in a proportionate and reasonable way. But obviously, having all of the policies and procedures in the world won’t account for anything if you don’t have a strong compliance culture, which is the other really critical mitigation ingredient.
Nitish Upadhyaya: And what’s the regulatory mood music?
Amanda Raad: I think the regulators are quite happy about this. This is a favorite of the Serious Fraud Office (“SFO”) director. It’s one that we’ve been waiting for a while, and the idea that this is an offence, that fraud is an issue that is broad. This is one that I think everybody’s looking forward to using as a tool to address multiple risk areas.
Nitish Upadhyaya: So, lots of detail to come, but let’s take a step back. Where does this fit in the global regulatory landscape?
Amanda Raad: I can’t help—given that I am U.S. qualified and spent many years of my career living and working in the U.S.—mentioning just for a moment some of the developments with enforcement in the United States and the impact or thought on how those developments along with this offence all fit together. If you take a step back and think about the pause that is still in place with the Foreign Corrupt Practices Act, it has left regulators and companies around the world trying to figure out what impact that has and what will be the next tool that people might use. We’ve spent a lot of time talking to people and reminding people that the law still exists in the United States—it is still illegal to engage in bribery—but I think there’s a lot of pressure from some organizations to maybe scale back certain compliance resources or scale back certain resources based on this current pause that is there.
This is an example where you have not only the UK Bribery Act, which remains in place, but here you have a new offence coming into place for fraud, which has really broad extraterritorial reach, and everybody’s looking to the international global regulators to say, “Are you going to step up and are you going to fill the void somehow?” We saw the recent partnership between the UK, France, and Switzerland for the [Anti-]Corruption Prosecutorial Taskforce, and then, you also have this new offence coming in right at the same time where you’ve heard the director of the SFO say this is a favorite. All eyes are on regulators around the world to see what they’re going to do. So, I think it’s important to have that backdrop in mind just because the uncertainty and the change that’s going on with enforcement globally creates, I think, a heightened risk anyway for organizations, and then, you have new rules coming into place at the same time—it’s a little bit of a perfect storm.
Nitish Upadhyaya: Well, into the maelstrom we go, and let’s figure out some of our key substantive points. Our first big question is: What is it? Now, fraud, when it comes to mind, people might think of accounting fraud or they might think of receipt embezzlement expenses. But, Sarah, give us an overview of what this offence actually encompasses.
Sarah Lambert-Porter: Sure. In a nutshell, the offence is that any organization that’s been a corporate or a partnership regardless of where they are located or incorporated or indeed operating, if that organization meets two or more of the criteria that make it a so-called “large organization,” it will be guilty of this offence if an associated person commits a relevant fraud offence intending to benefit that large organization or an entity or a person to whom that associated person is providing services for on behalf of that large organization—so, essentially, the large organization’s customers or clients. If an associated person does that with the intent to benefit the large organization or its clients, then the large organization can be guilty of this offence.
There are some concepts in there that may be familiar or unfamiliar, depending on how you’re coming at this, but to break it down into its constituent parts, to be a so-called “large organization,” you need to have met two of the three criteria that are in the act in the financial year preceding the year in which the fraud offence occurred—so, that is:
- over £36 million in annual turnover,
- over £18 million in balance sheet assets,
- or over 250 employees.
Those criteria were designed quite specifically to exempt small and medium enterprises (“SMEs”), and that was the result of a debate in parliament around whether this would just be too much of a burden for them. So, at the moment, they are out, but there is potential in the act for them to be brought in at a later stage. The other thing that’s worth noting is that those criteria have individual and group applications, so the parent undertaking of a group of several non-large organizations, which I guess I’ll call “small organizations,” can still qualify as a large organization if it meets the criteria on an aggregate basis. And the second point to note is, where there is a qualifying large organization at the top of the group, then it’s still possible for a small organization to be liable if one of its associated persons, for example, one of its employees, commits a fraud intending to benefit the small organization. So, not 100% straightforward.
Nitish Upadhyaya: What types of behavior are being captured here?
Sarah Lambert-Porter: This is designed to stop people from committing fraud, essentially, and the types of fraud offences that are going to be in scope are all listed in a schedule to the act. But the important thing to note is it’s not just the fraud offences that are listed there—it’s also anyone who’s aiding and abetting can also qualify. So, a quick run-through of the types of fraud offences that are in that schedule: it’s things like fraud by false representation. That’s where greenwashing and other ESG-related misstatements could prove to be really fertile enforcement ground, particularly given the UK regulators’ focus on that area. The other thing is fraud by failing to disclose information. That can also include not disclosing conflicts of interest, fraud by abuse of position—that’s your classic embezzling situation—false accounting, fraudulent trading, and then, the good old common law offence of cheating the revenue. Those are the fraud offences at the heart of this.
Nitish Upadhyaya: So now, we’ve got a sense of the types of offences. What sorts of corporations could get caught?
Sarah Lambert-Porter: Unlike the UK Bribery Act, this will only apply to so-called “large organizations”—a corporate or a partnership—and that’s regardless of whether incorporated, located, or operating.
Nitish Upadhyaya: What about the penalties?
Sarah Lambert-Porter: The penalties are going to be a fine, but importantly, this act also makes the failure to prevent fraud offence one of the offences for which there can be a deferred prosecution agreement, and so, I think that’s the more likely outcome for this kind of offence. It also gives rise to the specter of private prosecutions, and so, that is another area that corporates really need to be focused on, because the risk could come from any of those three areas.
Amanda Raad: Thanks, Sarah. I think just to pause on it for one second, one thing that sits with me is, again, just the breadth of what is covered, what is prohibited, and the kinds of fraud that are prohibited. A lot of times, we see organizations approach risk from a siloed approach, and you may be looking to prove a potential corrupt act or you may be in violation of money laundering, and as you are working through that, you may find effectively something that is prohibited by this act in many places along that chain or course. And so, in some ways, I do think that the breadth of what is covered by this offence is challenging for companies but perhaps, also, maybe a little bit helpful for companies to think about risk a little bit more holistically and a little bit less from a siloed approach, which we still do see a fair amount of.
Nitish Upadhyaya: I think we see silos in the organization itself, but I’ve also seen people siloing their businesses and saying, “It’s a UK statute—it’s not going to affect us. We’ve got plenty of other things to worry about.” It sounds like that’s not the case, and the jurisdiction and the territory of jurisdiction is much wider. What other bits of an organization might end up being caught by the regime?
Amanda Raad: This is broader than the UK Bribery Act in some ways, because it is more akin to the way jurisdiction works for the Foreign Corrupt Practices Act in the United States where if you can show any nexus to the UK—any potential benefit to the UK or any potential harm that involves the UK with regard to the fraud—then you can be caught and swept in. You can imagine many situations where maybe you have people here—employees here, agents here, investors here—because of the global reach of this, it really is a global law. It isn’t a UK law. The group of companies that could potentially fall subject is just much, much broader.
Sarah Lambert-Porter: As Amanda said, it’s going to require a little bit of a shift of mindset for those who are used to dealing with the Bribery Act, because the territorial scope hinges effectively on the underlying fraud offence and whether that has a UK element to it. So, did any of the elements or the acts that constitute the underlying fraud offence occur in the UK? Or was the intended benefit or loss due to materialize in the UK, or did it actually materialize there? The situation can definitely arise where you’ve got a large non-UK organization having liability for the fraud act of a person outside of the UK, who is a non-UK employee, a non-UK citizen, and the only nexus is that there was a more indirect victim in the UK It’s going to be a very fact-sensitive question in each case, and it’s definitely not as obvious as the Bribery Act where all you needed to worry about was, is the entity incorporated in the UK—yes or no? If not, was it carrying on business or part of the business in the UK—yes or no? So, very different.
Nitish Upadhyaya: So far, so broad. Any exceptions or defenses that firms can avail themselves of?
Sarah Lambert-Porter: Yes—there is an exception and a defense. It will be an exception if you, as the large organization or indeed the small organization in a large group, are the intended or actual victim of the fraud. You won’t be liable at the same time, which would be unfair. In terms of defenses, much like the UK Bribery Act, there is a defense if you can prove to a civil standard, so on the balance of probabilities, that you had reasonable fraud prevention procedures in place at the time that the offence occurred.
Nitish Upadhyaya: What are we seeing clients and firms generally doing to prepare for the offence, given the scope of it and the defense that you’ve outlined?
Amanda Raad: Firms are really looking to get ready for the offence obviously by the date in September, so they’re starting to take a look at this. We’ve been advising a lot of people trying to figure out exactly how you do that. Everybody wants to make sure that they have adequate procedures in place—that we know how to do. But I think some people have spent perhaps too much time so far trying to decide whether they’re in scope or out of scope. What we have been advising clients to do is, given the breadth that we’ve just been talking about here today, consider yourself in scope for purposes of your risk management programs. Also, preventing fraud is a good thing to prevent anyway, so you’re going to be in a winning situation if you just consider yourself in scope for purposes of taking the steps that you would want to take to develop adequate procedures.
Then, when it comes to actually developing adequate procedures, one of the first things that you have to do is a risk assessment. We’ve had some debates with clients about how much they can leverage the risk assessments they’ve done in other risk areas. For example, under the UK Bribery Act, if they’ve done a risk assessment, how relevant will that be to the risk assessment that needs to be done here? What we’ve been trying to really make sure people understand is, of course, that’s an important part of the puzzle and should definitely be referenced and not siloed off and not off on its own, but, as we’ve said, it’s not just the bribery and corruption-type fraud risks that we’re talking about here—we’re also talking about misrepresentations or failure to make disclosures, and so, it is not a one-for-one. So, a risk assessment that is actually tailored around this offence is necessary, and it’s definitely the fundamental first step that everybody should be taking as they consider what they should be doing next.
Sarah Lambert-Porter: The key thing is that the procedures that you have in place need to be proportionate to the risk, and that’s why the risk assessment is so important, as Amanda said. You can only determine that what you’ve done is reasonable if you understand the risk properly and have acted proportionately. So, the procedures, according to the guidance, should be informed by these six outcomes-based principles, which are familiar to anyone who’s been dealing with the UK Bribery Act or indeed the Financial Conduct Authority’s general requirements for compliance assessments. Those six elements are the risk assessment, first of all, and then, secondly, is proportionate risk-based prevention procedures, which we’ve discussed. Then, that filters into three, due diligence; four, communication, which includes training; five, monitoring and review; and then, six, top-level commitment or senior buy-in, which is really important to drive the whole thing forward.
Nitish Upadhyaya: What are some of the stickier points and hot topics that you’re seeing? Sarah, you mentioned ESG. Amanda, we’ve talked a little bit about risks stemming from investments and organizational structures. Let’s give our listeners some insights into some of the trickier points they might encounter.
Amanda Raad: I think consistent with what I mentioned a few minutes ago about wrestling over whether or not companies are in scope or out of scope, one of the other issues that we’ve definitely seen, especially for investors, whether or not their investment—a portfolio company, an acquisition target—is in scope or out of scope. We’ve been advising for all the reasons I just mentioned, you are better off considering this in scope and integrating it into your overall program that you have with other risk areas for many, many reasons, including just effective business, but also, from a risk and compliance perspective. And with the requirements of adequate procedures also focusing on due diligence, we’re spending a lot of time helping people start to think about how do you incorporate this analysis into the due diligence that you would do in the investment space, as well as to the recommendations that you would make for once you make that investment, what a compliance program should look like, how you monitor an investment over time, and how, in fact, you respond to any issues that may come up and investigations that may need to happen. So, effectively, we are taking this offence and integrating it into the compliance models in the investment space in preparation for this coming into play.
Sarah Lambert-Porter: We see a lot of clients getting really bogged down in the details of their corporate structure and which entities meet the threshold criteria, and so on. If you know that you’ve got at least one “large organization,” so-called, anywhere in your group, the much better use of time and energy is to really analyze where that risk is. So, look at the associated persons who are likely to be the ones that bring you into the scope of this offence and look at their scope for fraud, what opportunities they have, and where that would likely have a UK nexus, and then, seek to address that in a really proportionate way. I think the bigger picture to keep in mind with all of this is that the offence and the resultant defensive procedures that you have are all designed to drive cultural change—that is the stated purpose in the actual official guidance, and that was very much the intention in the parliamentary debates when this was going through that process. It’s certainly a strict liability offence, but it’s much more likely that the thing that is going to get you into trouble and into an enforcement situation is if you have systemic cultural issues and systemic failings that lead to this fraud being perpetrated, so that’s something to always keep in the back of your mind when you’re doing this.
Amanda Raad: Because I love a good comparison, I have to compare one more time to the Foreign Corrupt Practices Act, because I spent the good portion of my early career debating who is and who is not a “government official.” Similar to what I landed on there is you almost have to assume everybody is a government official for purposes of deciding your approach to dealing with risk, otherwise, you end yourself in this defense position when the time comes of trying to argue the point. You can still argue at the right time, if necessary, that you aren’t caught by this. If there is a charge ultimately brought and you want to make the argument that actually you are not within scope, you can still very well make that, but from an effective procedures perspective, you are just so much better off actually having considered it in scope. I think that’s a good analogy to keep in mind, because I know a lot of us have been on that journey over the years.
Sarah Lambert-Porter: By the time you end up in an enforcement situation where you are trying to defend yourself, a lot of the damage—reputational and otherwise—has been done, so you want to avoid that as much as you can.
Nitish Upadhyaya: Absolutely. I think, Sarah, as you said, so much of this comes back to culture. We know that it’s an FCPA priority. We know that it’s very much the stated indication of why this act is there in the first place. And so, I think over and above the risk assessments and the soul-searching that firms will have to do to make sure that they have the right processes in place, they’ve got to be thinking about how they can assess their culture of fraud prevention, and it might be wider than that. It might be the culture of compliance and ethics generally, the culture of integrity—however they want to define it—but how do you get past the employee surveys and the engagement aspects that normally companies put into place? How are you going to put in front of a regulator a piece of work that shows that you have actually dug deep into the culture of the organization? You have found the gaps, you have assessed the stories that people are telling about what it means to do the right thing or whatever your values are, and what does that mean ultimately for it? I also get really excited about this, because there is a psychology element and a behavioral element to fraud prevention. and I’m excited to do some of the research in that area and bring data into play. It’s not just going to be policies, procedures, trainings—all of the things that are part of the standard toolkit and an important part of the toolkit from a legal perspective—but so much of this is going to be behavioral, and I think, again, the regulator gets that and they are wise to the fact that this is a holistic approach to making this work. I think we’ll end up seeing firms getting credit for the depth of work that they do if they end up with a situation where they are in an enforcement position.
Amanda Raad: So glad you mentioned culture, because to sum it up, I really feel like culture is the thread that brings the adequate procedures to life, if you will. It’s the piece that runs through all of it, that breaks this all up from being a check-the-box, if you will, approach to managing outcomes to really understanding what’s happening, why it’s happening, and influencing those outcomes.
Nitish Upadhyaya: Before we come in with some final thoughts for our listeners about what you should be doing right now, I’ve heard the words “reasonable procedures” and “adequate procedures” mentioned today. I know some of it comes from the Bribery Act. Is there a difference?
Sarah Lambert-Porter: It’s an interesting question, Nitish, because in the first failure to prevent offence, which was the Bribery Act, they used the words “adequate procedures.” Then came the Criminal Finances Act, and that had, for tax evasion, the words “reasonable procedures.” And now, we have, again, “reasonable procedures,” so it’s likely not a material difference. For the purposes of this one, we talk about “reasonable procedures” in the act—it’s a distinction without a difference.
Nitish Upadhyaya: Thanks for clearing up that part of it. Now, firms have no excuse in that sense of figuring out which one’s which—no dilly-dallying. So, what should listeners be doing right now? What’s one thing they can take away from this and get on with as soon as they finish listening to this episode?
Amanda Raad: I think firms should be thinking about how they are going to approach a risk assessment for fraud within their organization.
Sarah Lambert-Porter: I would add to that that the clock is ticking. We hosted a failure to prevent fraud roundtable event about two weeks or so ago for an assortment of clients in the asset management space, and we carried out a survey at the start. It was really interesting to see that only 14% of them had actually started taking any action to prepare for this offence, and the 86% who remained were in the very preliminary stage of what I think I labeled the “planning to plan” phase. So, while there is certainly a lot of time to get your compliance program ducks in a row by the first of September, I think firms really need to not underestimate what is involved, and so, if they needed one, let’s hope that this is the trigger that gets them off the starting blocks.
Nitish Upadhyaya: To summarize quite a large topic, it’s a big offence. It covers more than just what you might typically think about as fraud. It comes into force on the first of September, which is really not that far away. It isn’t just a UK offence—this really does apply with the smallest of UK nexuses. It’s not something that any corporation can ignore. There is a defense, which is incredibly helpful, which is the reasonable procedures defense. Folks really need to be thinking now about how they are doing their risk assessments, and how they are measuring and assessing their culture of fraud prevention to make sure that they’re in a good place if and when the regulator comes knocking. And to be sure, this is something that regulators are incredibly, incredibly focused on.
We’re working with lots of clients at the moment on how to manage it in the first place, building on their existing programs, and doing a lot of benchmarking across the market about what peer firms are up to and what seems to be proportionate for the size of the business. We’re here to think about it with you—and to that end, we have a webinar on the 21st of May, which will dive much deeper into the legal aspects of the offence.
If you have any questions about today’s topics or anything related, feel free to reach out to us. For more information about this offence or our practice area more generally, visit our website at www.ropesgray.com. If you enjoyed our discussion, please subscribe and listen on Apple Podcasts, Spotify, or your favorite podcast platform. Thank you for listening. Thank you so much, Amanda and Sarah. And have a wonderful day.
