‘Failure to prevent fraud’—statutory guidance
On 6 November 2024, the Home Office published the much awaited ‘failure to prevent fraud’ ('FTPF') offence guidance. In this article, associate Emily Russell and legal assistant Edward Griffin from the criminal and financial crime team outline what the guidance says, why it has been introduced, and the six principles businesses must follow.
The guidance, which was introduced by the Economic Crime and Corporate Transparency Act 2023 (ECTA), can be accessed here.
ECTA introduced the FTPF offence, a strict liability offence, whereby large organisations may be held criminally liable when an employee, agent, subsidiary or other ‘associated person’ commits a fraud intending to benefit the organisation. The organisation does not have to know about the fraud; it is enough that it failed to prevent it taking place. FTPF incorporates fraud offences under the Fraud Act 2006 including false accounting, fraudulent trading and obtaining services dishonestly.
The purpose of introducing the FTPF offence, as confirmed in the Government guidance, is to encourage corporate responsibility and self-reporting, prompting companies to create robust fraud prevention systems rather than relying on law enforcement.
However, the offence only applies to large companies, much to the disappointment of critics, as this drastically limits the impact of the new offence. Large organisations are defined in the Companies Act 2006 as organisations meeting two of the following three requirements: i. more than 250 employees; ii. more than £36 million turnover; and iii. more than £18 million in total assets. This limitation is a key distinction from the other ‘failure to prevent’ offences which were introduced in 2010 and 2017.
Although the FTPF offence is narrowly drafted in terms of who can commit it (only large organisations) it is broadly drafted in terms of how it can be committed. The relevant fraud offences can be committed at every level of the organisation, by ‘associated persons,’ internal or external to the organisation, whether inside or outside the United Kingdom. This new FTPF offence has a broader jurisdictional reach, but it does require a connection to the United Kingdom.
In order to establish a defence to an offence of FTPF, an organisation needs to demonstrate that it had ‘reasonable fraud prevention procedures’ in place at the time that the fraud was committed. The much-awaited statutory guidance provides clarification as to what constitutes such prevention procedures.
Implementation: when will the offence come into effect?
The Government guidance has also been hotly anticipated because, for a long time, it was understood that FTPF would only come into force when the statutory guidance was published.
The new guidance makes it absolutely clear, however, that the offence will only come into effect on 1 September 2025. The reason given for this delay is to allow organisations more time to develop and implement their fraud prevention procedures.
Reasonable procedures: six principles to follow
As above, the FTPF offence is not completely novel as the same formulation is contained in the Bribery Act 2010 in relation to the failure to prevent bribery, and in the Criminal Finances Act 2017 in relation to the failure to prevent tax evasion.
The Government guidance lists six principles for businesses to follow in relation to the FTPF offence:
- Top level commitment
- Risk assessment
- Proportionality of risk-based prevention procedures
- Due diligence
- Communication (including training)
- Monitoring and review
These principles are similar to those found in the Bribery Act 2010. However, the guidance provides little practical guidance on what constitutes ‘reasonable’ fraud prevention, making it challenging for businesses to determine the exact measures to take.
We understand that the above principles are intended to be “flexible and outcome-focused,” allowing for the “huge variety of circumstances that relevant bodies find themselves in.” There is concern, however, that the guidance published is not sufficiently comprehensive or clear.
Breaking down the six principles
For ‘top level commitment,’ the guidance states that the responsibility for preventing fraud lies with those governing an organisation, who should promote a culture in which fraud is never accepted. It is accepted that the role senior management play in fraud prevention shall depend on the size and structure of an organisation, but shall likely include communicating the organisations stance on preventing fraud, ensuring there is clear governance across the organisation in respect of the fraud prevention framework, leading by example, and creating an environment whereby staff feel empowered to speak out if they encounter fraudulent practices.
Regarding ‘risk assessment,’ the guidance explains that, whilst it is not possible to predict all potential fraud risks, any risk assessment should be “dynamic, documented and kept under regular review.” Risk assessments are to be typically conducted annually or bi-annually, and external factors might provide occasion to conduct a prudent early review, or partial review. Not having conducted a risk assessment, shall “rarely be considered reasonable,” and failure to periodically review a risk assessment may lead a Court to determine that reasonable procedures had not been in place at the relevant time.
The ‘Proportionality of risk-based prevention procedures’ stipulates that an organisation is encouraged to “draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment.” Two things of particular note in this section are that “any decision not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision and reviewed as appropriate” and that compliance processes under existing regulations may not automatically qualify as ‘reasonable procedures’ under ECTA.
Turning to ‘due diligence,’ this section unsurprisingly stresses the importance of proportionality and having a ‘risk-based’ approach tailored to the exposure to said risk. The section does, however, offer some examples of best practice, including application of technology (e.g., screening tools, internet searches, checking trading history or professional or regulated status, if relevant), reviewing contracts with agents and those providing services, including “appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate,” and the “monitoring of well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets or workload.”
Moving on to ‘Communication (including training),’ this section highlights that fraud prevention policies should be “communicated, embedded and understood throughout the organisation.” Moreover, it is stressed that communication should not just be top-down, from senior management, but most come from all levels of an organisation. Training should be tailored to those in the highest risk posts. It is worth highlighting that a large proportion of this section is dedicated to whistleblowing: whilst not all organisations are required by regulators to have whistleblowing processes in place for fraud, the implication is that organisations should consider very carefully why any such measures are not in place.
Finally, the ‘monitoring and review’ section stresses the importance of constant vigilance with regards an organisation’s fraud detection and prevention procedures. We understand that ‘monitoring’ is made up of three elements: i. detection of fraud and attempted fraud, ii. investigations and iii. monitoring the effectiveness of fraud prevention measures. The aim for an organisation, the guidance tells us, is to be continually refining their detection and prevention measures by conducting formalised internal reviews, reviewing whistleblowing incidents, and working closely with trade bodies, or other organisations facing similar risks.
How can we help?
Our criminal and financial crime team at Russell-Cooke has a deep understanding of the intersection of criminal and financial worlds, with deep experience advising on financial crime in multi-jurisdictional matters involving large corporate organisations. We specialise in areas as diverse as fraud, extradition, health and safety breaches, money laundering, and serious criminal offenses, offering strategic guidance and comprehensive legal support.
Emily Russell in an associate in the criminal and financial crime team advising clients, including high net worth and ultra-high net worth individuals and large corporate organisations, in connection with a range of matters. Ed Griffin is a legal assistant in the same team.
Get in touch
If you would like to speak with a member of the team you can contact our criminal and financial crime solicitors by email, by telephone on +44 (0)20 3826 7521 or complete our enquiry form.