UK Finance publishes failure to prevent fraud guidance

Aiding, abetting, counselling or procuring are secondary (inchoate) offences. They can be triggered even where the substantive offence has not been committed. In the context of the failure to prevent fraud offence, the associated person must have either (i) intended to encourage or assist or (ii) encouraged or assisted one or more listed offence believing that that/those listed offence(s) will be committed. Therefore, what matters is that the associated person believed the activity they were encouraging or assisting is a listed offence.

An associated person is any of the following:

• an employee or an agent of the firm

• a subsidiary undertaking of the firm

• an employee of a subsidiary undertaking of the firm a person who otherwise performs services for or on behalf of the firm

A formal agreement (e.g. a written agreement) for the provision of services does not need to be in place for a person to perform services for or on behalf of the firm. The determination as to whether or not a person performs services for, or on behalf of, the firm will depend on the facts. The Guidance also clarifies that persons providing services to the firm (e.g. stationery suppliers or external lawyers, valuers or accountants) are not acting “for or on behalf” of the firm.

The Guidance notes that although it might be reasonable in certain circumstances for a firm not to have prevention procedures in place in response to a particular risk, “it will rarely be considered reasonable not to have even conducted a risk assessment”.

The Guidance identifies certain risks where it would not be reasonable for firms to have prevention procedures in place, for example where:

• an in-scope firm provides services entirely outside the UK
• there are existing contractual commitments where the firm does not have grounds to terminate or amend existing contracts in order to implement contractual controls

Training programmes should be designed in accordance with FCA expectations. The Guidance also notes that whistleblowing channels should be clearly described, and policies and procedures should be accessible to employees or agents.

It is a defence if, at the time the fraud offence was committed, either (i) the firm had in place reasonable prevention procedures, or (ii) it was not reasonable in all the circumstances to expect the firm to have any prevention procedures in place. The burden of proof is on the firm. This means that the firm has to prove that one of the defences exists, rather than the prosecuting agency having to prove that it does not exist.

The Guidance provides a reminder that due diligence procedures are both a form of risk assessment and a means of mitigating risk. The Guidance nots that, in the context of third party associated persons, firms should apply risk-based due diligence when establishing and reviewing third party relationships, document actions taken to address red flags, take appropriate action in respect of associated persons who do not pass ongoing due diligence or other relevant monitoring checks, and document third party relationships which are terminated due to non-compliance or concerns related to the third party’s failure to prevent fraud control effectiveness.

The Guidance provides examples of third party relationships which are not associated persons of the firm. For example, insurance brokers who are engaged by the customer not the firm.

A firm will not be guilty of a failure to prevent fraud offence if the firm was, or was intended to be, the victim of a fraud offence intending to benefit a customer.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a new corporate offence of failure to prevent fraud making in-scope firms potentially criminally liable if the firm fails to prevent a fraud offence committed by a person associated with the firm.

For a firm to have committed the failure to prevent fraud offence, the associated person must have committed the fraud with the intention of benefiting the firm (or in some cases the subsidiary or parent undertaking of the firm). The firm is not liable if it is the intended victim of the fraud offence or was the victim of an offence intending to benefit a customer.

If there is jurisdiction to prosecute the underlying fraud offence, there will be jurisdiction to prosecute the failure to prevent fraud offence. This means that, in respect of in-scope firms, the failure to prevent fraud offence only applies where the fraud offence is committed in whole or in part in the UK (such as where the fraud offence is committed by a UK-based person, is intentionally targeted at a victim in the UK or relates to providing false information to a UK market), or where actual gain or loss occurred in the UK.

Non-UK banks do not need to implement reasonable prevention procedures for their activities conducted entirely outside of the UK just because they have a UK Branch, and UK headquartered firms will not generally be liable for their overseas employees or subsidiaries in relation to fraud that takes place entirely abroad (i.e. with no UK nexus).

The Guidance provides 20 illustrations of various scenarios covering how the offence works in practice.

The Guidance provides an overview of how the failure to prevent fraud offence interacts with:

• the Criminal Finances Act 2017

• Sections 327-329 of the Proceeds of Crime Act 2002

• the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Joint Money Laundering Steering Group Guidance

The failure to prevent fraud offence can only take place if a person commits a base fraud whilst acting in the capacity of a person associated with the relevant firm.

• Employees: if an employee is acting outside the scope of their employment a Court might find them not to have been acting in the capacity of an employee.

• Third party associated persons: Third parties are an associated person while they are providing the services on behalf of the firm. Providing goods is not the same as providing a service, although a service may in some circumstances be provided alongside the provision of a product. Examples of a service could include customer relationship management, payment services and advisory services.

The Guidance reminds firms that the FCA expects them to operate a cycle of continuous review and enhancement of their compliance programmes. Firms should also note that it is recognised that a proportionate risk-based regime cannot be a zero-failure regime, where failure occurs the lessons from that failure should be considered and processes reviewed to ensure improved performance going forwards.

Reasonable prevention procedures will be proportionate to the risk identified in the risk assessment. The Guidance notes that a firm may find that its risks are sufficiently mitigated through existing controls however this conclusion should be kept under periodic review. Reasonable prevention procedures may be stand alone or form part of a wider framework. Whatever the chosen approach, the prevention procedures should be documented, practical and realistic.

The Guidance sets out six core principles which inform the reasonable prevention procedures:

• Risk assessment

• Proportionate policies and procedures commensurate to the risk

• Due diligence

• Communication (training)

• Monitoring and review

• Top level commitment (‘tone from the top’)

These are flexible principles to allow each firm to tailor its prevention procedures so they are reasonable and reflect each firm’s specific risk exposures.

The Guidance suggests that a risk assessment that has the following features would be reasonable:

• Areas of risk - identifying and assessing the risk of activities, departments, and/or roles held by associated persons, to identify which pose a higher (and lower) risk of committing fraud with the intention of benefitting the firm.
• Territorial scope - consideration of the territorial scope of the failure to prevent fraud offence, with respect to the corporate criminal offence only being triggered when there is a UK nexus to the underlying fraud offence.
• Levels of risk – consideration of the level of risk exposure across the firm’s activities, departments and/or roles.
• Ownership – a clear assignment of ownership and responsibility for the risk assessment framework, the performance of the risk assessments and the delivery of any resulting action.
• Documentation and integration - the risk assessment process, conclusions and any resulting actions, should be clearly documented.
• Review - the risk assessment should be reviewed on a periodic basis. 

Subsidiary undertaking has the same meaning as set out in section 1162 of the Companies Act 2006. UK subsidiaries can be prosecuted rather than the parent if an employee of the subsidiary commits fraud intending to benefit the subsidiary.

A fraud offence is an act which constitutes (i) a listed offence or (ii) aiding abetting, counselling or procuring the commission of a listed offence. The base fraud offences are listed in schedule 13 of ECCTA. These are criminal acts that require intent and (in most cases) dishonesty.

As a result, actions solely attributable to AI or other machine-driven actions (including, for example, trading algorithms) would not be a fraud offence.

Senior executive management responsibility should be documented. For financial services firms this expectation for documentation of accountability will likely mean making specific reference to failure to prevent fraud in the accountabilities mapping for relevant holders of senior management functions under the FCA’s senior managers regime.

The onus of proving both intention and benefit lies on the prosecution and this must be proved to a criminal standard i.e. beyond reasonable doubt. The Guidance clarifies that an enforcement action for the commission of the failure to prevent fraud offence can only proceed if the prosecution can prove beyond a reasonable doubt that either (i) a benefit was intended (even if it was unlikely to materialise) or (ii) a positive outcome was virtually certain consequence of the associated person’s actions.

In-scope firms that meet two or more of the following criteria:

• Turnover of more than £36 million
• Balance sheet total of more than £18 million
• More than 250 employees

The Guidance also clarifies that parent companies can be brought into scope when consolidated with its subsidiaries, when it meets the above criteria.