Press enter to search, esc to close
On 6 November 2024, the Home Office issued its guidance on what constitutes reason fraud procedures to provide a defence to the failure to prevent fraud offence introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This means the failure to prevent fraud offence will come into force on 1 September 2025 and corporates must have their fraud procedures in place by then.
Our Head of Risk and Compliance, Ben Cooper says... “Corporates have been waiting over a year for this guidance and now the clock is ticking to get their fraud procedures in place by 1 September 2025. With the festive break shortly upon us, corporates need to get started now. As Nick Ephgrave, Head of the SFO, puts it “time is running short for corporations to get their house in order or face criminal investigation”.
Now the Home Office has issued this guidance, large organisations need to develop and implement reasonable fraud prevention procedures before failure to prevent fraud comes into force on 1 September 2025. Without such procedures, large organisations could face a criminal prosecution and an unlimited fine. The guidance provides useful advice on how to implement reasonable fraud prevention procedures, and we have summarised the key points below.
TLT’s free-to-use failure to prevent fraud health check questionnaire is the ideal starting point. After completing the questionnaire, you will receive a report setting out:
To access the questionnaire, please click here.
Home Office guidance, key points:
A large organisation may be criminally liable where an employee, agent, subsidiary or other associated person commits a fraud intending the benefit the large organisation. It is also an offence where the fraud is committed with the intention of benefiting a client of the large organisation.
It will be a complete defence for the large organisation to show they had reasonable fraud prevention procedures in place at the time of the fraud offence.
The guidance sets out procedures that large organisations can put in place to prevent their employees, agents, subsidiaries or other associated persons from committing fraud.
Large organisations have just over 9 months to put their fraud procedures in place before the failure to prevent fraud offence comes into force on 1 September 2025.
While ECCTA is binding, the guidance is advisory. Departing from it will not automatically mean an organisation does not have reasonable fraud prevention procedures and equally, it is not intended to provide a safe harbour. Strict compliance with the guidance, but with risks not addressed is not likely to amount to reasonable procedures.
Sectorial guidance will need to align to the Government’s guidance, be endorsed by the appropriate industry body and any conflict between guidance, the Government’s will take priority.
Failure to prevent fraud does not extend to individual liability but does not preclude individuals being charged for the base fraud offence.
The offence only applies to large organisations. That is entities meeting two of the following criteria:
Further, the guidance clarifies that the criteria apply to whole organisations, including subsidiaries, regardless of where the organisation is headquartered or the subsidiaries located.
A subsidiary of a large organisation, which is not itself a large organisation, can be prosecuted rather than the parent if an employee of the subsidiary commits fraud intending to benefit the subsidiary. If the employee intended to benefit the parent, then the parent can be prosecuted.
The base fraud offences are listed in schedule 13 of ECCTA. Large organisations can be prosecuted where an associated person commits a base fraud offence, even if the associated person is prosecuted for another offence, or not prosecuted at all. If the associated person is not prosecuted, the prosecution must prove to the criminal standard that the associated person did commit the base fraud offence.
Employees, agents and subsidiaries of large organisations are automatically associated persons. So is a person that provides services for or on behalf of the large organisation. However, fraud that takes place outside of this capacity, e.g. their private life does not give rise to liability for the large organisation. Similarly, agents will only be associated persons when acting as agents for the large organisation. Partners in a partnership can be associated persons, but a partnership can be prosecuted for the base fraud offence itself. We note that under section 196 ECCTA corporates can also be prosecuted for fraud committed by their senior managers.
Providing services does not include providing goods, nor does it include providing services to the large organisation, so does not include external lawyers for example. However, the guidance does not clarify that where that external lawyer interacts with third parties on behalf of the large organisation, they would be an associated person.
Companies in the large organisation’s supply chain are not associated persons unless they are providing services for or on behalf of the large organisation. The guidance recognises that a large organisation is only likely to exercise control over its contractual counterparty, not others in the supply chain.
A large organisation does not need to actually receive any benefit; it is enough that they were the intended beneficiary. It will be judged at the time of the offence, so it is not relevant that the large organisation might have to refund the proceeds of the fraud. It also applies where the associated person’s primary motive was to benefit themselves, but where the large organisation will also benefit. The benefit does not need to be financial, so could include a business advantage.
A large organisation is not liable if it was a victim or intended victim of a fraud that was intended to benefit the large organisation’s client. The guidance stresses however, that the large organisation would not be a victim if it suffers indirect harm, such as damaged reputation or other consequences of being charged with failure to prevent fraud.
The offence has wide extra territorial reach. It applies to a large organisation, wherever they are located in the world, as long as either the fraud took place in the UK or the gain or loss occurred in the UK. This means that if an associated person commits fraud in the UK, the large organisation could be prosecuted wherever it is based. The overseas large organisation could also be prosecuted where the associated person commits fraud outside of the UK as long as victims of the fraud were UK based. However, this requires actual loss to have taken place in the UK, not just intended loss.
Only the court can decide whether a large organisation had reasonable procedures. For groups based outside the UK, whether they require group wide policies will depend on the level of activities that take place in the UK or the risk of fraud involving victims in the UK. For international groups, the guidance recognises that local laws may prevent the organisation from applying the same procedures overseas that it has in the UK.
A court could also decide that it was reasonable for a large organisation not to have fraud prevention procedures. However, the guidance makes clear that it will rarely be considered reasonable not to have conducted a risk assessment and documented the decision not to implement any fraud procedures. That risk assessment should be kept under review. Elsewhere in the guidance this is suggested at once or twice a year.
The guidance highlights that an organisation’s willingness to self report and cooperate with a prosecutor will be taken into account in any decision whether to prosecute and if so, whether a deferred prosecution agreement is suitable.
The guidance also states that where the fraud offence also breaches regulations, the Home Office expects prosecutors and regulators to work together. Interestingly, it confirms that some regulators, such as the FCA, would also be able to prosecute failure to prevent fraud.
The guidance provides 8 examples of how the offence and potential defence apply. Interestingly, it includes a clearing bank example, where Bank C uses Bank D to provide clearing services. The example confirms that Bank D would be an associated person of Bank C and therefore Bank C could be prosecuted if Bank D commits fraud that benefits Banks C’s customers.
The fraud prevention procedures should be informed by the following six principles:
They are the same six principles as under the failure to prevent bribery and tax evasion facilitation guidance, but the order has changed. Top level commitment has moved from second to first place, risk assessment moved up one place to second and proportionate procedures dropped from first to third. This shows the importance the Home Office has placed on top level commitment and it makes sense that the risk assessment comes before the proportionate procedures.
“The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud”. The guidance confirms that the term “senior management” for organisations subject to the FCA’s SMCR may be the same person as the senior manager with responsibility for the organisation’s financial crime compliance programme, or if not, should work closely with them. Top level commitment will be demonstrated by:
The guidance recognises that it may be appropriate to extend existing economic crime risk assessments to include failure to prevent fraud. It also states that as the definition is wide (wider than under the bribery or tax failure to prevent offences) organisations may want to start by identifying typologies of associated persons and considering the circumstances in which those associated persons could commit fraud. It suggests using the fraud triangle to do this. That is to consider across the typologies, the associated persons’:
A new element of the risk assessment is the recommendation to assess the prospect that fraud risks may increase during emergencies. The risk assessment should be reviewed at least annually, and sometimes twice a year.
The guidance recommends that large organisation draw up a fraud prevention plan, with procedures proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. The procedures should also be “clear, practical, accessible, effectively implemented and enforced”. The procedures should seek to reduce the opportunity, motivation and rationalisation of fraud and put in consequences for committing fraud.
It is not necessary to duplicate existing work, and for listed companies there may be some overlap with the UK Corporate Governance Code. However, the guidance is clear that it would not be a defence for a regulated entity to assume its existing compliance processes would automatically provide it with reasonable fraud prevention procedures.
“The organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks”.
“The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication”.
“Training should be proportionate to the risk faced. Consideration should be given to the specific training needs of those in the highest risk posts. Training should cover the nature of the offence as well as the procedures to address it”.
The guidance also recommends implementing whistleblowing processes, as it is one of the most effective ways to uncover fraud and other economic crimes.
“The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector”.
Publication link |
|
Published date |
6 November 2024 |
Who has published it? |
Home Office |
Publication type |
Guidance |
Any key dates? |
Failure to prevent fraud into force on 1 September 2025 |
What's it relevant to? |
ECCTA, failure to prevent fraud |
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Date published
07 November 2024