Failure to prevent fraud guidance published – what do businesses need to do now?

Back in 2022, the government at the time undertook an assessment of corporate criminal liability in the UK, following which it asked the Law Commission to carry out a review of the relevant law and to present a set of options for reform. The assessment was set against a backdrop of growing concern that the UK was falling behind globally in adequately holding corporate entities – especially large companies – to account for economic crimes, including fraud.

The Law Commission published its options paper on 10 June 2022, where it proposed that the government (amongst other things) introduce a new 'failure to prevent fraud' economic crime offence designed to widen the scope for effective corporate criminal liability in the UK.

As set out above, the FTPF Offence was enshrined into law the following year through the introduction of the ECCTA. Organisations have a full defence to the FTPF Offence if they can demonstrate that they have "reasonable procedures in place to prevent fraud, or if they can demonstrate to the satisfaction of the court that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place".

The ECCTA stipulated that the FTPF Offence would will not take effect until after the Guidance on what represents reasonable fraud prevention procedures was published. Now that it has been published, the Guidance confirms that the FTPF Offence will come into effect on 1 September 2025. 

2.1 What is it and who is in scope?

The FTPF Offence is set out in sections 199 to 206 of the ECCTA. The FTPF Offence can be made out in one of two ways:

1. "Large organisations" are liable under the FTPF Offence if they fail to prevent an associated person from committing a specified fraud offence, where the fraud was intended to benefit (either directly or indirectly): (i) that entity, or (ii) any person to whom, or to whose subsidiary undertaking, the associated person provides services on behalf of; or
   
   
2. The subsidiary of a large organisation, which is not itself a large organisation, can also be held liable if it fails to prevent fraud committed by an employee of the subsidiary where the fraud was intended to benefit the subsidiary.

These or similar thresholds will be (somewhat) familiar to persons dealing with the recent influx of ESG-related legislation (in the UK and elsewhere) seeking to impose additional obligations on larger entities to report, or take actions relating to, various environmental, social or financial ethics related risks/impacts.

While the FTPF Offence is a "strict liability" offence (i.e., the prosecution does not need to prove any awareness, intention or knowledge on the part of the entity involved), there is a full defence if the relevant organisation can show that, at the time the Base Fraud Offence was committed, it either (i) "had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place" or (ii) "it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place".

It is anticipated that the latter defence will be a harder test in many cases to satisfy – however, this could potentially be relied on by a parent company, for example, if the organisation's structure is such that the parent company cannot realistically establish fraud controls within the subsidiary. We also note that an entity will not commit an FTPF Offence if the body itself was, or was intended to be, the victim of the fraud offence.

For England and Wales, the specified fraud offences included under the FTPF Offence are listed in Schedule 13 to the ECCTA, and include:

• False accounting (section 17 of the Theft Act),
• False statements by company directors (section 19 of the Theft Act),
• Fraudulent trading (section 993 of the Companies Act 2006),
• Fraud by false representation (section 1 and 2 of the Fraud Act 2006),
• Fraud by failing to disclose information (section 1 and 3 of the Fraud Act 2006),
• Fraud by abuse of position (section 1 and 4 of the Fraud Act 2006),
• Participating in fraudulent business carried on by sole trader (section 9 of the Fraud Act 2006),
• Obtaining services dishonestly (section 11 of the Fraud Act 2006), and
• Cheating the public revenue.

(together, the "Base Fraud Offence"). The list of Base Fraud Offences is slightly different in Scotland and Northern Ireland (due to how laws have been implemented in these jurisdictions).  

Importantly, aiding, abetting, counselling, or procuring the commission of any of the above listed primary offences would also qualify as a relevant offence (see section 199(6)(b)).

2.2 Who commits the fraud and who benefits?

The Base Fraud Offence is committed by an "associated person", who can be an employee, agent, or any other person providing services for or on behalf of the organisation (while they are providing those services).

“Providing services” does not include providing goods, nor does it apply where someone is providing services to the relevant body (rather than for or on their behalf) (e.g. external lawyers, accountants etc).

While a subsidiary can commit a FTPF Offence in its own right, whether or not it itself is a "large organisation" (as outlined in example 4 above), a subsidiary can also be an associated person. This means that it is possible for a parent company to be prosecuted for FTPF Offence where the Base Fraud Offence is committed 'corporately' by a subsidiary and where the beneficiary is the parent organisation, or its client(s) – or indeed the subsidiary of clients.

Generally speaking, an entity may be liable 'corporately' where the acts are self-evidently its own (i.e. the company contracts with someone, and the contract is premised on a fraud) or for acts of senior managers/officers which are taken to be its own – via the 'identification doctrine'.

This interaction between the FTPF Offence and the extension of the identification doctrine has widened the possible ways in which a parent company can be held to account for the harm committed by those acting on its behalf. As is discussed below, it is important to ensure that any procedures implemented (including training) cover the activities of the organisation's senior management and the senior management of any of its subsidiaries.

As set out above, and as is the case in relation to 'failure to prevent bribery' under the Bribery Act and 'failure to prevent the facilitation of tax evasion' under the Criminal Finances Act 2017, there is a full defence if the organisation can show that it had "reasonable procedures" in place to prevent fraud from taking place. The Guidance makes it clear that any assessment of what are "reasonable procedures" will be context-specific, taking into account the particular facts and circumstances of the case, and assessed on the balance of probabilities

The Guidance emphasises that these procedures should be tailored to the business (including the sector in which it operates) and consider the organisation's structure and territoriality. This includes parent companies potentially taking steps to prevent fraud by subsidiaries by implementing group level policies, training staff, and ensuring that there is a nominated person responsible for fraud prevention in each subsidiary – although all of this will need to be considered in the context of the group's (or alternative investment structure) wider approach to balancing risks associated with additional more centralised group control of operating matters.

Chapter 3 of the Guidance sets out the key considerations for organisations while developing their "reasonable fraud prevention procedures". It states that organisations should be informed by six key principles, discussed further below. These principles are very similar to those found in the guidance for failure to prevent bribery. As with the Bribery Act 2010, they are intended to be flexible and proportionate to the business, allowing for the various ways in which commercial organisations can be structured and organised – and "departure from the suggested procedures contained within the guidance will not automatically mean that the organisation did not have reasonable fraud prevention procedures in place".   

Principle 1: Top level commitment

Effective and robust governance structures are increasingly becoming the key component against which companies are measured in regard to ethical business practices. Top level commitment is critical to achieving good governance, as it ensures that the correct prevention measures are implemented, monitored, and the right culture is fostered.

Organisations should therefore be able to demonstrate that their senior management are committed to preventing fraud from being committed within, or using, their business. Organisations can do this in a number of different ways.

Some examples are:

• Communicating and endorsing the organisation's stance on preventing fraud: Senior managers may consider releasing statements to stakeholders (including, but not limited to, employees) that (i) reiterate the commitment to preventing fraud, (ii) articulate the benefits of eradicating fraud, (iii) name other key individuals involved in the implementation of prevention procedures, and (iv) specify the circumstances which would lead to a person breaching the organisation's policy on fraud.
  
  
• Creating a clear governance structure across the organisation: This includes having defined roles and responsibilities for fraud prevention measures and ensuring that new starters are appropriately trained.
  
  
• Developing and reviewing preventative procedures: Senior managers may either be personally involved in their design or implementation or, if that is not proportionate, have designated responsibility appropriately (i.e. to a specific committee).
  
  
• Discussing prevention measures at board or senior executive level: This includes ensuring that failure to prevent fraud (and other financial crime prevention procedures) are discussed at appropriate meetings – for instance as part of a risk management update and that sufficient resources are allocated.
  
  
• Fostering an open culture: Employees should be encouraged to speak up if they have ethical concerns. This position may be codified in the organisation's whistleblowing policy etc..

Principle 2: Risk assessment

As with the failure to prevent bribery offence, undertaking risk assessments is a key part of implementing reasonable fraud prevention procedures.

The Guidance recommends that organisations consider the (i) opportunity, (ii) motive, and (iii) means by which an associated person could commit fraud when undertaking a risk assessment.

Generally speaking, a failure to prevent fraud risk assessment should consist of two parts:

1. First, organisations should identify the potential cases where associated persons could attempt fraud that benefits the company, its clients or subsidiaries of those clients.
2. Second, organisations should classify any identified risks by 'likelihood' and 'impact' and provide a description of why that classification was chosen. 

Given the multitude of ways in which fraud can be committed, it is important to identify which risks are material for the business (i.e. likely and/or impactful) and to implement prevention measures to address them. The Guidance provides that, where a fraud is deemed to be unlikely to take place and with low impact, it may be appropriate not to have specific prevention plans in place. However, this decision should be documented – we have found the lack of a documented risk assessment to be a common pitfall in approaches taken in relation to anti-bribery.

Principle 3: Robust but proportionate risk-based prevention procedures

Once the organisation has carried out a risk assessment it should draw up a fraud prevention plan, which outlines the processes and procedures the organisation intends to implement to mitigate the risk of fraud (the "Anti-Fraud Policy").

It is recommended that the Anti-Fraud Policy should be stress-tested by members of the organisation not involved in writing it. It is also recommended that organisations review relevant sector-specific information and other third-party information, such as from the Fraud Advisory Panel and the “Love Business Hate Fraud” website.

Organisations should consider establishing proportionate fraud prevention procedures which are based on reducing the opportunity, motive, and means to commit fraud, such as:

• Reducing the opportunity: (i) implementing pre-employment and vetting checks, particularly for high risk roles in HR, payment and finance; (ii) carrying out fraud impact assessments on new services and products; (iii) ensuring that fraud risks are equally managed throughout procurement processes (including pre-tender, tender, contract management and project delivery); (iv) implementing robust invoice verification and sign-off processes; (v) applying a sector specific approach to fraud risk management.
  
  
• Reducing the motive: (i) identifying and minimising bonus frameworks that encourage fraudulent behaviour or too much risk-taking; (ii) identifying time pressures that may encourage staff to cut corners; (iii) taking measures to ensure that an anti-fraud ethos is instilled across the organisation; (iv) carrying out training and communicating anti-fraud principles; (v) collecting and reviewing information on conflicts of interest.
  
  
• Reducing the means: (i) strengthening existing due diligence and sign-off procedures; (ii) carrying out sector-specific and role-specific anti-fraud training; (iii) vigorously evaluating and monitoring training; (iv) carrying out due diligence on the prevention procedures implemented by persons or bodies carrying out services on your behalf; (v) bolstering procedures for avoiding conflicts of interest.

It is also important to improve the detection of fraud and put in place consequences for committing fraud. For example:

• Organisations may consider using data driven tools to identify issues in regard to procurement, payment, invoicing etc.
  
  
• Staff may be trained and encouraged to speak up, in addition to establishing robust whistleblowing procedures (that are clearly communicated).

Principle 4: Due diligence

Organisations should implement a risk-based approach to any due diligence measures in relation to fraud detection and prevention, and review and update these measures as necessary. Whilst the Guidance acknowledges that many organisations will already be undertaking due diligence, these may not necessarily be adequate to tackle the risk of fraud and any extant procedures should be reviewed and updated as necessary.

Due diligence measures should be proportionate, and it is not expected that all businesses carry out enhanced due diligence of every customer, supplier, or employee. However, if a decision is made not to carry out due diligence, the reasons for this decision should be documented in the relevant risk assessment. The depth of due diligence required by an organisation will depend on, amongst other things, the level of control and supervision the organisation is able to exercise over the person. 

Principle 5: Communication (including training)

Once an organisation has set up its fraud prevention procedures (including due diligence) and set these out through an Anti-Fraud Policy, it must ensure that these are communicated, embedded, and understood throughout the organisation.

Training: Anti-fraud training is critical to this process and may consider the following:

• Requiring representatives to undertake fraud-specific training, depending on their role, sector, jurisdiction, or business opportunities.
  
  
• Training should be proportionate to the risk faced by the individual – this may involve incorporating training into existing financial crime training, or introducing bespoke anti-fraud training to address specific risks.
  
  
• Certain high-risk individuals (e.g. members of procurement teams) may require specific tailored training.
  
  
• Third party associated persons may need to have specific training, or they might need to be encouraged to ensure that their own arrangements are in place.
  
  
• Training should be monitored, reviewed and evaluated.

Whistleblowing: Whistleblowing procedures are also an important tool in the prevention of financial crime. Training should include ensuring that staff and other associated persons are familiar with whistleblowing policies.

Principle 6: Monitoring and Review

Once an organisation has implemented its Anti-Fraud Policy (and other procedures), it should ensure that these are monitored and kept under review. Organisations may consider the following steps when reviewing their fraud prevention procedures:

• Carrying out periodic reviews of their fraud prevention procedures;
  
  
• Engaging with third professional organisations such as law firms and accountants; and
  
  
• Examining deferred prosecution agreements.

Finally, organisations should review their fraud prevention procedures on an ongoing basis in light of any developments. For example, more formal and robust procedures may need to be implemented following criminal activity. Consideration should also be given to what would trigger an investigation, and what steps should be taken where a fraud attempt is detected.

The Guidance acknowledges that many organisations in scope of the ECCTA will have existing processes in place to ensure compliance with other regulatory obligations and that many of these will address certain potential frauds.

For example, robust processes for compliance with environmental regulations would be expected to prevent fraud by misrepresentation on environmental statements. The Guidance makes clear that whilst 'synergies' in processes are possible, it would not be a suitable defence to state that because an organisation is regulated, its compliance processes under existing regulations would automatically qualify as “reasonable procedures” under the ECCTA (see examples below).

The FTPF Offence can be prosecuted by:

• the Crown Prosecution Service (for England and Wales), the Crown Office and Procurator Fiscal Service (for Scotland), the Public Prosecution Service for Northern Ireland; and
  
  
• the Serious Fraud Office (for England, Wales and Northern Ireland).

As is the case for many other financial crime offences in the UK, deferred prosecution arrangements will be available and whether or not the organisation has cooperated with any investigation will be factored into prosecution decisions.

If convicted, an organisation can receive an unlimited fine, although courts "will take account of all the circumstances in deciding the appropriate level of fine for a particular case".

We would recommend that potentially in-scope organisations take this time now to review their processes and procedures to ensure that they are suitable under the ECCTA and to implement new processes and procedures where needed.

In summary, an organisation may consider doing the following:

1. Review any existing procedures that may have been implemented in respect of the failure to prevent tax evasion offence (under the CFA) or the failure to prevent bribery offence (under the Bribery Act) to ensure that they remain suitable in light of ECCTA.
2. Carry out an anti-fraud risk assessment to assess the risk of fraud being committed by an associated person for the benefit of the organisation.
3. Implement due diligence measures to mitigate against any material risks identified in the anti-fraud risk assessment.
4. Implement a new fraud prevention plan, based on the findings of the risk assessment and any due diligence measures implemented.
5. Appoint a nominated person responsible for fraud prevention in your organisation, and each subsidiary.
6. Carry out regular training of staff and employees, including tailored training for high-risk members of staff and senior management.
7. Monitor and review your fraud prevention procedures on an ongoing basis.

Our team at Travers Smith has extensive experience in helping clients in approaching similar 'failure to prevent' offences, and engaging adequate procedures defences, in relation to other areas of financial crime in the UK. We are already helping clients prepare to deal with the new FTPF Offence in a way which is pragmatic, responsive and aligned with that existing wider framework. Please do not hesitate to get in touch if you have any questions or would like further assistance.